THE  BLOG:  YOUR  NEW,  IMPROVED  PROJECT  MANAGEMENT  TOOL  Page  17 


VIRTUAL  BOXES* 
REAL  RISKS 

10  tips  for  mitigating 
virtualization’s 
security  risks 

Page  41 


PCI  AND  THE 
MID-MARKET 

Strategies  for 
new  credit  card 
regulations 

Page  22 


BUSINESS  TECH 


MICROSOFT  SYSTEM  CENTER.  DESIGNED  FOR  BIG 

TwW0*7 iil^2■iliBm  WM  I . . . . . I  II  ^ 

1 - ■■  _  r^'s-(J^%-  f^Qil  1130 1  1166  .,-  •  . ^'■^'raT-QaiM  1417 1  i  ~;"U  L . «**  -■“""" 


1072 1 


@1177 


V-4~ 


1241 .1 


iil 


il38oH  -4V^ 


1020  3J 


f  H64  ■ 12G°i 


ZJC'E 


-m  f  1127  1°3i  l1199j 


1  1343  I 


|;f  Ci:  j  CIS !  1054; 

_  I  VtWW^  ■*'*■'■' 


1090  nzo  j 


Wl  1053il°89pj^J 


nr  •-- :s  «*  10ftt;  p§  i-iAT  mm  id//® 
1161  H57  333,  ^7^  77 


2  4  :  1160  1156 


l  -  ±-  '  _ J 

' -3l^iiirtiof^;',::^a^;:'r': 
;"'  .feiaiiSSi, 


: ;  : :  El 


Microsoft* System  Center  is  a  family  of 
IT  management  solutions  (including  Operations 
Manager  and  Systems  Management  Server) 
designed  to  help  you  manage  your  mission- 
critical  enterprise  systems  and  applications. 


940  976  1012  1048  1084  ;  1120,  Ii56  H92  j 


Nissan  manages  56,500  PCs  on  three  continents 
with  System  Center.  That's  big.  See  Nissan  and 
other  case  studies  at  DesignedForBig.com 


Microsoft1 


Mlfl 


1088 


1083 


What  does  it  take  to  provide  360°  communications 
in  a  24/7  business  world? 


Expectations  are  high  for  communication  systems  in  today’s  connected  world.  They  are  expected 
to  deliver  a  lower  cost  of  ownership  while  ensuring  that  people  are  available  and  have  the  tools 
necessary  to  collaborate.  NEC,  the  global  IT  and  networking  company,  delivers  mobility  and  unified 
communications  that  integrate  with  our  UNIVERGE®  IP  Telephony  platforms,  to  improve  business 
processes  and  customer  relationships  by  connecting  people  to  people  and  the  information  they 

need  anytime,  anywhere.  NEC,  Empowering  you  through  innovation. 

- 

1—  www.necus.com/necip 


IT  SERVICES  AND  SOFTWARE  ENTERPRISE  NETWORKING  AND  COMPUTING  SEMICONDUCTORS  IMAGING  AND  DISPLAYS 


NEC  is  proud  to  have  the  No.  1  worldwide  ranking  in  enterprise  telephony  extension  line 
shipments  in  2006,  for  the  second  year  in  a  row,  according  to  Gartner* 

‘Market  Share:  Enterprise  Telephony  Equipment  Worldwide,  2006;  Megan  Fernandez  &  Isabel 
Montero,  July,  2007  ©NEC  Corporation  2007.  NEC  and  the  NEC  logo  are  registered  trademarks 
of  NEC  Corporation.  Empowered  by  Innovation  is  a  trademark  of  NEC  Corporation. 


Empowered  by  Innovation 


JANUARY  15,  2008  I  VOL/21  I  NO/7 


Columns 


5  0  Who 's  Your  Customer? 

strategic  cio  Direct  Energy’s  CIO  is 
trying  to  change  the  perception  that  IT’s 
customer  is  the  internal  employee  in  order  to 
foster  a  focus  on  what  matters  most.  The  lan¬ 
guage  he  uses  to  talk  about  customers, 
colleagues  and  IT  projects  is  key. 

By  Kumud  Kalia 

60  Five  Things  I've  Learned 


22  Security:  Sink  or  Swim 

mid-market  |  compliance  If  you  want  to  transact  business 
with  credit  cards,  you  have  to  follow  security  standards.  Companies 
that  don’t  comply  face  fines  or  worse.  So  why  aren’t  more  mid-market 
merchants  already  in  compliance?  By  Michael  Jackman 

30  One  Company,  One  Vision, 

One  Truth 

COVER  STORY  |  MASTER  DATA  MANAGEMENT  As  Nationwide 
Insurance  grew,  financial  data  silos  became  the  norm  rather  than  the 
exception,  and  the  new  CEO  and  CFO  realized  they  had  a  serious 
problem.  By  Thomas  Wailgum 

41  Real  Risks  Inside 

Every  Virtual  Box 

virtualization  You’ve  fallen  in  love  with  virtualization.  Well, 
why  not?  It  can  lower  costs  and  supercharge  your  ability  to  respond  to 
business  needs.  But  it  also  raises  your  risk  profile.  Not  so  good.  Here  are 
10  ways  to  mitigate  those  risks.  By  Laurianne  McLaughlin 


the  voice  of  experience  Tom  Ridge, 
former  U.S.  secretary  of  homeland  security, 
now  heads  Ridge  Global,  an  advisory  firm. 

He  believes  another  terrorist  attack  is  likely. 

more  » 


COVER  PHOTO  BY  STEPHEN  WEBSTER 


www.cio.com  |  JANUARY  15,  2008,  2008  3 


6  From  the  Editor 

When  it  comes  to  running  a  business, 
it  helps  to  know  what  you’re  talking 
about.  By  Abbie  Lundberg 

8  From  the  CEO 

It’s  not  just  about  printers  and 
hardware  anymore. 

By  Michael  Friedenberg 

11  Trendlines 

What  to  do  when  your  IT  provider 
is  sold 

Mobile  phones  in  China  and  Finland 

►  Don’t  complain  in  your  company  e-mail 

►  The  five  greenest  electronics  makers 

►  Outsourcing  in  India  and  in  Brazil 

►  Relocate  or  telecommute? 

17  Essential  Technology 

Too  many  enterprise  users  get  lost  in 
storms  of  reply-all  e-mails  while  trying 
to  manage  projects  or  collaborate. 

Blogs  make  a  better  answer. 

By  C.G.  Lynch 

58  Index 


Outsourcing  in  the  New  Year 

From  widening  currency  gaps  to  industry  mergers 
to  an  ever-expanding  range  of  outsourcing  options, 
Stephanie  Overby  offers  her  predictions  for  out¬ 
sourcing  in  2008.  Meanwhile,  research  analystf  irm 
Gartner  estimates  U.S.  spending  on  offshore  IT 
services  to  grow  by  40  percent  in  the  next  year  and 
ranks  the  top  30  likely  beneficiaries  of  those  dollars. 
The  new  year  should  keep  IT  service  providers  and 
customers  on  theirtoes. 


»  www.cio.com/article/166108 
»  www.cio.com/article/1642 00 

[CAREERS] 

WHAT  CEOS  WANT 
FROM  CIOS 

Thomas  Wai  Igum  shares  10  pieces  of 
advice  from  executive  search  leader 
Jack  Groban—straightforward,  action¬ 
able  pieces  that  every  CIO  or  IT  leader 
in  training  should  print  out  and  tape  to 
his  office  wall. 

http://advice.cio.com/thomas_ 

wailgum/what_ceos_want_from_cios 


[ADVICE] 

NETWORKING 
FOR  COMPUTER 
GEEKS 


[GADGETS] 

10  REASONS  NOT  TO 
SUPPORT  THE  IPHONE 

Forrester  Research  says  IT  departments 
should  refuse  to  support  Apple  iPhones, 
even  if  CEOs  are  the  ones  asking  to  use 
the  devices  for  access  to  corporate 
networks  and  systems. 


Schmoozing  is  a  trial  for 
shy  people,  but  armed 
with  these  common-sense 
tips,  wallflowers  can 
finally  join  the  party. 
www.cio.com/article/ 
164300 


www.cio.com/article/165254 


»  The  Year  Ahead  Six  enterprise  application  trends 
to  watch  in  2008 

»  Whoops  CIO’s  top  10  tech-induced  apologies 
»  Survey  Says  Employees  prefer  more  time  off  over  a  raise 
»  Careers  CIOs  have  more  job  opportunity,  but  also 
more  competition 


4  JANUARY  15,  2008,  2008  |  www.cio.com 


ruwei  iui 

Efficient, 


mm 


bUblKAUIUIN. 

Take  away  the  jungle  of  cables.  Take  away  the  so-called 
"normal"  energy  requirements  and  maintenance. 
What  do  you  have?  Introducing  the  HP  BladeSystem 
c3000.  All  the  technology  of  our  larger  BladeSystem 
in  an  efficient,  compact,  affordable  package. 

Technology  for  better  business  outcomes. 


Powered  by  the  C 


O 


See  how  less  is  more.  Visit  hp.com/go/nocompromise2 
1-800-888-8430 


Alternative  Thinking  About  Server  Rooms: 


st 


- 


1 .  Intel,  the  Intel  logo.  Xeon,  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U.S.  and  other  countries. 
The  information  contained  herein  is  subject  to  change  without  notice.  ©  2008  Hewlett-Packard  Development  Company,  L.P. 


FROM  THE  EDITOR 


Truth  and  Meaning 

When  it  conies  to  running  a  business,  it  helps  to  know 
what  you’re  talking  about 

There  are  times  when  I  just  know  I’m  in  a 

time  warp.  I  had  that  experience  as  I  was  reading 
Senior  Writer  Tom  Wailgum’s  cover  story,  “One 
Truth”  (see  Page  30),  about  the  latest  hot  thing  in 
the  information  management  field:  master  data 
management. 

MDM,  as  Wailgum  describes  it,  is  a  set  of  pro¬ 
cesses  and  technologies  that  helps  organizations 
enforce  data  policies  and  definitions  on  an  enter¬ 
prise  scale.  By  creating  a  “single  version  of  the 
truth,”  companies  can  do  better  trend  analysis  and  forecasting,  and  enjoy  more 
robust  budgeting,  reporting  and  accounting  processes. 

As  I  read  Wailgum’s  account  of  how  Nationwide  Insurance  approached  the 
challenge,  I  recalled  a  series  of  articles  we  published  on  data  warehousing  in  the 
’90s— an  earlier  attempt  to  arrive  at  a  single  version  of  the  truth  (though  without 
the  ability  to  engage  in  the  operational  environment).  The  main  issue  then  was 
getting  people  to  agree  to  common  data  definitions  and  processes.  We  profiled 
companies  building  data  warehouses,  with  managers  sequestered  in  conference 
rooms  for  months  to  hash  out  the  best  terms  and  definitions  for  things  like  “cus¬ 
tomer”  or  “sale”  and  fight  over  who  had  to  change  the  way  they  did  business. 

Compare  that  to  Wailgum’s  article  today:  “Good  master  data  governance  can 
happen  only  when  the  various  constituencies  that  own  the  data  sources  agree  on 
a  common  set  of  definitions,  rules  and  synchronized  procedures,  which  requires 
a  degree  of  political  maneuvering  that’s  not  for  the  faint  of  heart.” 

Despite  the  significant  technological  advances  that  have  happened  in  those 
intervening  years  (did  I  mention  that  MDM  lets  you  extend  your  single  version  of 
the  truth  beyond  the  data  warehouse  out  into  the  operational  environment?),  the 
fact  is  that  the  hardest  part  will  always  be  getting  people  to  negotiate  and  agree 
on  what  things  mean.  There  are,  I’m  sure,  equally  good  arguments  to  be  made  for 
why  “customer”  should  mean  an  individual  making  a  purchase  and  why  it  should 
mean  a  household  (for  instance,  my  husband  and  I  don’t  both  need  our  very  own 
copy  of  the  Eddie  Bauer  catalog,  but  since  we’re  viewed  as  two  separate  customers, 
we  get  them  anyway).  Maybe  someday  a  computer  program  will  be  able  to  make 
those  calls  for  us,  but  I’m  not  going  to  hold  my  breath.  In  the  meantime,  someone’s 
got  to  facilitate  all  this.  Yet  another  example  of  why  technical  proficiency  is  not  the 
sine  qua  non  for  today’s  CIOs. 


Abbie  Lundberg,  Editor  in  Chief 

lundberg@cio.com 


PHOTO  BY  STEVEN  VOTE 


BUSINESS  TECHNOLOGY  LEADERSHIP 


president  and  ceo  Michael  Friedenberg 

publisher  Bob  Melk 
publisher  emeritus  Gary  J.  Beach 

EDITORIAL 

EDITOR  IN  CHIEF 

Abbie  Lundberg 

EDITOR 

David  Rosenbaum 

EXECUTIVE  EDITOR 

Elana  Varon 

ASSISTANT  MANAGING  EDITOR 

Christine  Celli 

TECHNOLOGY  EDITOR 

Laurianne  McLaughlin 

SENIOR  EDITORS 

Steff  Gelston,  Kim  Nash, 

Stephanie  Overby 

SENIOR  WRITER 

Thomas  Wailgum 

STAFF  WRITER 

C.G.  Lynch 

COPY  CHIEF 

Dave  Gradijan 

COPY  EDITOR 

Susan  Bryant-Still 

ASSOCIATE  COPY  EDITOR 

.  Kristin  Burnham 

EDITORIAL  ASSISTANT 

Jarina  D'Auria 

EDITORIAL  ADMINISTRATOR 

Jill  Paquette 

CONTRIBUTORS 

Michael  Jackman,  Kumud  Kalia,  Steve  Kelner 
Reynold  Lewke,  Katherine  Walsh 

DESIGN 

EXECUTIVE  DIRECTOR,  ART  AND  DESIGN 

Mary  Lester 

ART  DIRECTORS 

Terri  Haas,  Steve  Traynor 

ONLINE  EDITORIAL 

ONLINE  EDITORIAL  DIRECTOR 

Christopher  Lindquist 

ONLINE  MANAGING  EDITOR 

Michael  Goldberg 

SENIOR  ONLINE  EDITORS 

Meridith  Levinson,  Shawna  McAlearney, 
Esther  Schindler 

ASSOCIATE  ONLINE  EDITOR 

Diann  Daniel 

ONLINE  WRITER  Al  SaCCO 

RESEARCH 

RESEARCH  MANAGER 

Carolyn  Johnson 

SENIOR  RESEARCH  ANALYST 

Seanna  Maguire 


I  N  C. 


INTERNATIONAL  DATA  GROUP 

board  chairman  Patrick  J.  McGovern 

president,  idg  communications  Bob  Carrigan 


©CXO  Media  Inc. 


who  covers  what  www.cio.com/staff 
e-mail  letters@cio.com  phone  508  872-0080 
fax  508  879-7784  address  CIO  Magazine, 

CXO  Media  Inc.,  492  Old  Connecticut  Path, 

P.0.  Box  9208,  Framingham,  MA  01701-9208 
website  www.cio.com  SUBSCRIBER  SERVICES  866  354-1125 
•  Fax  847  564-9453  •  E-mail  cio@omeda.com 
reprints  and  permissions  •  The  YGS  Group, 

800  290-5460,  ext,  150  •  E-mail  cio@theygsgroup.com 


6  JANUARY  15,  2008  |  www.cio.com 


THOUGHTS  ON  THE  EVOLUTION 
OF  THE  DATACENTER 


Should  I  design 
my  data  center 
around  my  data, 
or  their  network? 
That’s  easy. 


INTRODUCING  THE  BROCADE  DCX. 

There  are  two  very  different  visions  for  how  the  world’s  data  centers  will  evolve.  For  some,  the  decision 
is  easy.  With  the  new  Brocade  DCX”  as  the  foundation,  you  can  evolve  your  data  center  around  your 
applications  and  your  data.  The  result?  You  can  dramatically  improve  efficiency  while  reducing  cost  and 
risk — building  on  the  technology  you  already  own.  Get  the  free  white  paper  at 


BROCADE 


©  2007  Brocade:  Communications  Systems,  Ino.  All  rights  reserved.  Brocade  is  a  registered  trademark,  and  the  B-wing  symbol  and  DCX  are 
trademarks  of  Brocade  CotjimLrnicatiefns  Systems,  Inc,  -  I  t 


FROM  THE  CEO 


HP's  Evolution 

It’s  not  just  about  printers  and  hardware  anymore 

For  the  high-tech  vendor  community,  2007 
was  a  great  year.  At  Google,  Microsoft,  EMC,  IBM, 
Oracle,  SAS,  Sun  Microsystems,  Apple,  Fujitsu, 
SAP  and  others,  profits  grew,  new  products 
emerged  out  of  a  renewed  focus  on  innovation, 
and  customer  engagement  increased.  But  one 
company  led  all  the  rest  and  had  a  year  for  the 
record  books— Hewlett-Packard. 

In  2006,  the  market  was  starting  to  see  how 
HP  Chairman,  CEO  and  President  Mark  Hurd’s 
strategy  of  financial  accountability  and  laser-like  customer  focus  was  taking  shape. 
Last  year,  it  not  only  took  shape  but  launched  like  a  rocket  ship! 

With  over  $104  billion  in  revenue,  HP  is  now  the  largest  technology  company  in 
the  world.  But  what  is  probably  the  most  fascinating  part  of  HP’s  transformation 
is  the  fact  that  it’s  rapidly  becoming  a  serious  software  player.  Over  the  past  few 
years,  HP  has  acquired  Opsware,  Peregrine,  Mercury,  Knightsbridge  and  Neoware, 
and  Hurd  has  suggested  that  the  checkbook  is  still  wide  open.  (It’s  been  reported 
that  HP  has  $1  billion  allocated  for  acquisitions  this  year.)  This  buying  spree  now 
has  HP  doing  over  $2  billion  a  year  in  software  revenue  and  has  allowed  it  to 
immerse  itself  in  the  network  and  systems  management  categories. 

Just  imagine  what  HP  could  do  if  it  added  a  virtualization  solution  by  purchas¬ 
ing  Citrix  (just  as  Citrix  did  by  acquiring  XenSource  last  summer),  or  made  a 
“last  mile”  business  intelligence  play  by  buying  MicroStrategy,  or  linked  up  with 
a  security  company  like,  say,  Symantec.  Then  we’d  really  have  something  to  talk 
about.  This  is  all  conjecture,  but  what’s  not  is  that  HP  is  trying  very  hard  (and  so 
far  succeeding)  to  become  more  than  a  printer  and  hardware  company.  This  isn’t 
to  say  that  it  doesn’t  have  ongoing  issues  with  CIOs— making  the  integration  of 
its  recently  acquired  companies  a  smooth  proposition,  becoming  more  strategic 
up  and  down  the  entire  software  stack  and  dealing  with  competitors  suddenly 
paying  closer  attention  to  it. 

Nonetheless,  HP  is  now  the  No.  5  software  company  in  the  world,  and  it  has 
no  plans  to  go  away  anytime  soon.  It  will  be  fascinating  to  see  this  year  how  the 
company  responds  to  the  CIO’s  demands  and  if  it  has  the  ability,  or  desire,  to  scale 
beyond  the  infrastructure  realm. 

I  will  say  this:  These  days,  betting  against  Mark  Hurd  has  become  a  scary,  if 
not  a  flat-out  losing  proposition. 


Michael  Friedenberg,  President  and  CEO 

mfriedenberg(5)cio.com 


BUSINESS  TECHNOLOGY  LEADERSHIP 


president  and  ceo  Michael  Friedenberg 
publisher  BobMelk 
publisher  emeritus  Gary  J.  Beach 

CXO  MEDIA  INC 

CIRCULATION 

subscription  svcs.  supervisor  Tina  Pescaro 
CIO  EXECUTIVE  COUNCIL 
GENERAL  MANAGER  Mark  Hall 
MANAGING  DIRECTOR.  PROGRAM  SERVICES  Shaw  Lively 
vp,  development  Dexter  Siglin 
vp,  executive  development  Stefanie  Egan 
managing  dir.,  content  development  Richard  Pastore 
mgr.,  group  services  and  research  Michael  Swenson 
marketing  communications  manager  Jennifer  Baker 
senior  architect  Lawrence  Coffin 
director  of  development  Steve  Rovniak 
group  manager,  member  services  Carrie  Mathews 
senior  manager,  group  services  Ellen  Friedman 
program  services  managers  David  Best. 

Joyce  Dunnells.  Michael  Fahlsing,  Andrea  List, 

Bill  Roche,  Janet  Williams 

program  specialists  Lisa  Desmarais,  Susan  Hupp 
relationship  managers  Russell  Fairhurst  Jr., 

John  Harrison,  Kathy  Mayer 

content  development  specialist  Diane  Frank 
development  managers  Ai  Collins,  Bob  Diack. 
Michael  Herrera, 

development  associate  Kristin  Bradshaw 
sales  associate  Jennifer  Finn 

EXECUTIVE  PROGRAMS 
vp,  executive  programs  Ellen  Daly 
dir.,  event  marketing  Mary  Conroy 
dir.,  event  operations  Deb  Begreen 
senior  conference  producer  Judith  Kittredge 
national  sales  manager  John  Fondnazio 
event  planner  Sarah  Reagan 
event  coordinator  Bethany  Whiffin 
client  services  specialist  Cress  O'Brien 
client  relations  associate  Erica  Foster 
sales  associate  Nicole  Blackburn 

INFORMATION  SYSTEMS 
idg  dir,  of  information  services  Nancy  Newkirk 
i.t.  manager  Sean  McCracken 
senior  user  support  specialists 
Christopher  A.  Kay,  Thomas  Lupien 
user  services  specialist  Gloria  Lam 
associate  user  support  specialist  James  Brevard 
senior  web  developer  David  Cohen 
web  developer  Sanghee  Seo 

PRODUCTION 
VP,  MANUFACTURING  Chris  CU0C0 

production  manager  Heidi  Broadley 
associate  production  manager  Lisa  M.  Stevenson 

MARKETING 

sr,  director,  marketing  comm.  Sue  Yanovitch 
sr.  marketing  comm,  specialist  Susan  Murray 
marketing  and  pr  specialist  Lynn  Holmlund 

RESEARCH 

research  manager  Carolyn  Johnson 
senior  research  analyst  Seanna  Maguire 

ADMINISTRATION 

coo  Matt  Smith 

senior  financial  analyst,  online  and 
integrated  products  Chris  Bernardi 
accounting  specialist  Amy  Small 
executive  assistant  to  the  president  Diane  Martin 
facilities  specialist  John  Kelley 
office  services  coordinator  Mary  E.  Wooldridge 

HUMAN  RESOURCES 

vp,  human  resources  Patricia  Chisholm 

hr  representative  Pauline  Boyle 


INTERNATIONAL  DATA  GROUP 

board  chairman  Patrick  J.  McGovern 

president,  idg  communications  Bob  Carrigan 


8  JANUARY  15,  2008  |  www.cio.com 


PHOTO  BY  CHRISTOPHER  HARTING 


Innovations  by  InterSystems 


Embed  the  fastest  database. 


For  software  developers  seeking  competitive  advantages,  InterSystems  Cache®  makes 
applications  more  valuable  by  increasing  their  speed  and  scalability,  while  decreasing  hard¬ 
ware  and  administration  requirements.  This  is  the  fastest  database  engine  you  can  put  in 
your  applications,  and  it's  the  only  database  that  gives  you  the  combined  benefits  of 
object  and  relational  technologies.  Thanks  to  its  innovative  architecture,  Cache  spares  Java 
and  .NET  programmers  a  lot  of  tedious  work  by  eliminating  the  need  for  object- 

relational  mapping.  Cache  is  available  for  Unix,  Linux,  Windows,  Mac  ,  L  „  L 

°  ,  InterSystems  f 

OS  X,  and  OpenVMS  -  and  it  supports  MultiValue  development.  Cache 
is  deployed  on  more  than  100,000  systems  worldwide,  ranging  from  two 
to  over  50,000  users.  Embed  our  innovations,  enrich  your  applications. 

Make 

Applications 

More 

Valuab 

Download  a  free,  fully  functional,  no-time-limit  copy  of  Cache,  or  request  it  on  CD,  at  InterSystems.com/Cache28F 


©  2008  InterSystems  Corporation.  All  rights  reserved.  InterSystems  Cachd  is  a  registered  trademark  of  InterSystems  Corporation.  1-08  EmbcdCache28  CIO 


Goldfish  have  a  memory  span  of  3  seconds. 


They  can’t  even  see  the  past,  much  less  the  future. 

But  you  can.  With  proven  business  intelligence  and  analytic  software  from  SAS. 


Wm  fmm  t 


i  *  Sill*  I  I 


www.sas.com/goldfish 


®  indicates  USA  registration.  Other  be 


EDITED  BY  LAURIANNE  McLAUGHLIN 


NEW 


3CJJ  C 

*  HOT  * 


outsourcing  The  takeover 
turmoil  at  outsourcing  provider 
Affiliated  Computer  Services  may 
be  a  tad  over  the  top  (see  “The  Mess 
at  ACS”  at  www.cio.com/articte 
/ 159552 ),  but  one  thing  is  certain; 
More  mergers  and  acquisitions  are 
on  the  way. 

"The  industry  is  ripe  for  another 
round  of  consolidation,”  says  Gartner 
research  director  Dane  Anderson. 

IBM,  for  example,  has  been  buy¬ 
ing  up  companies  for  years:  at  least 
40  since  2000.  And  then  there  are 
the  offshore  outsourcers— cash  rich 
and  eager  to  expand  their  global 
footprint.  “I  expect  to  see  more 
deals  like  Wipro’s  purchase  of  Info¬ 
crossing  a  few  months  ago,”  says 


Chris  Pattacini,  VP  of  outsourcing 
consultancy  Nautilus  Advisors, 
referring  to  the  India-based  out¬ 
sourcing  giant’s  acquisition  of  the 
U.S. -based  provider. 

Given  what  experts  expect  to  be  a 
consolidating  market  for  outsourc¬ 
ing  service  providers,  it  pays  for 


customers  to  be  prepared.  Here  are 
some  tips  on  what  to  do  when  your 
IT  services  provider  is  sold. 

1.  Keep  an  eye  on  service  lev¬ 
els,  Once  a  merger  is  complete, 
it  means  change.  Delivery  and 
account  management  staff  may  get 
reassigned  Continued  on  Page  12 


Where  Did  Your  Provider  Go? 


IIUmiiimi!ltmiSiIlIliiii!S!miliIll!Iiililill!iilSliIIlIil!Ii!iiIliiliiilllim!SiiliSIIIiiiIli!iiiilllS!illi!l!iS!SiiI!!i!lli 


China  Calling,  Finland  Answering 


mobile  phones  As  American  cell  phone  compa¬ 
nies  continue  to  battle  the  tedious  war  of  dropped  calls 
and  trail  the  rest  of  the  world  in  the  development  of  new 
gadgets  and  strategies  (see  “Blowing  Mobile,”  www.cio 
.com/article/123705),  China  is  getting  more  of  the 
global  market  than  ever  before. 

According  to  a  report  released  last  month  by  the  Chi¬ 
nese  government,  more  than  40  percent  of  the  world's 
cell  phones  were  produced  in  China  last  year,  a  41  per¬ 
cent  increase  over  2006.  That  translates  to  roughly  500 
million  phones  carrying  the  “Made  in  China”  stamp. 

Despite  this  production  typhoon,  China  saw  a  drop  of 
two  points  in  its  share  of  its  own  marketplace  last  year 
and  blamed  increased  competition.  Finland’s  Nokia  is 
shipping  more  than  two-thirds  as  many  units  to  Chinese 
retail  outlets  than  Chinese  mobile  phone  manufacturers. 


Nokia,  which  held  its  annual  investors’  event  last 
month,  predicts  that  the  global  mobile  market  will  grow 
by  10  percent  this  year,  to  roughly  1.2  billion  units  world¬ 
wide,  particularly  throughout  Asia,  the  Middle  East  and 
Africa.  The  company  hopes  to  stay  on  top  by  focusing  on 
further  integrating  the  Internet  with  mobile  devices  and 
announced  its  acquisition  of  Awenu,  a  California-based 
company  that  allows  users  to  access  personal  files  on 
their  PCs  from  a  mobile  phone  as  part  of  this  plan. 

A  recent  report  from  market  research  firm  in-Stat 
also  predicts  further  Internet  and  mobile  device  integra¬ 
tion,  reporting  that  the  number  of  Web-enabled  mobile 
phones  in  use  worldwide  will  increase  by  an  average  of 
33  percent  a  year  through  2012.  The  implications  of  that 
should  keep  Chinese  factories  humming  well  into  the 
future.  -At  Sacco 


ILLUSTRATION  BY  JOHN  S.  DYKES/THEISPOT.COM 


www.cio.com  |  JANUARY  15,  2008  11 


I 


I 


Yet  Another  Reason 
Not  to  Grouse in  E-Mail 

privacy  A  researcher,  Gilbert  Peterson,  working  at  the  Air 
Force  Institu  te  of  Technology  (AFIT)  in  Ohio,  has  found  a  new  use 
for  an  open-source  algorithm:  snooping  through  company  e-mail. 

The  original  application,  Author-Topic,  developed  by  research¬ 
ers  at  the  University  of  California,  Irvine,  is  essentially  a  data  min¬ 
ing  tool  that  chews  on  textual  information  and  was  designed  to 
analyze  topics  people  talk  about.  If,  for  example,  it’s  fed  academic 
journal  articles,  Author-Topic,  according  to  a  recent  article  in  New 
Scientist,  “examines  the  frequency  with  which  words  appear  in 
each  and  uses  that  to  infer  which  topic  that  document  is  about.  It 
then  identifies  topics  that  each  person  writes  on  most.” 

But  according  to  the  article,  Peterson  has  used  the  Author- 
Topic  system  in  another  way.  By  looking  at  what  people  write 
about  in  their  e-mails,  and  the  manner  in  which  they  do  so,  Peter¬ 
son  says  the  system  can  identify  people  who  are  feeling  alienated 
or  “who  are  discussing  sensitive  topics  externally  and  [can  then] 
class  them  as  having  ‘clandestine,  sensitive  interests.’” 

Clearly,  this  would  allow  the  software  to  spot  whistle-blow¬ 
ers.  And,  according  to  the  article,  when  Author-Topic  “was  fed 
the  250,000  e-mails  sent  between  employees  at  Enron,  it  flagged 
employee  Sherron  Watkins....  It  was  Watkins  who  blew  the  lid  on 
the  firm.” 

Peterson’s  AFIT  system  is  open  source  so  any  organization 
can  use  it  for  free. 

But  before  you  tell  your  e-mail  administrator  to  install  it  or 
a  similar  snooping  tool,  be  sure  to  read  up  on  your  company’s 
employee  privacy  and  e-mail  policies.  And  if  your  company 
doesn’t  have  these  policies  (which  it  should),  a  good  way  to  start 
developing  them  is  to  check  out  “ABC:  An  Introduction  to  E-Mail 
Management,”  at  www.cio.com/article/1284S0. 


- Esther  Schindler 


How  Green  Are  Your  Electronics? 

the  environment  Greenpeace,  the  environmental 
advocacy  group,  ranks  leading  electronic  manufacturers  on  their 
efforts  to  eliminate  toxic  and  noxious  substances  from  their  products 
and  their  efforts  to  be  environmentally  responsible.  -A!  Sacco 


The  TOP  THREE 

greenest  companies 
according  to  the 
most  recent 
rankings,  are: 


*  Nintendo,  maker  oftheWii  gaming  system,  ranked  last  overall. 


Bye-Bye  Provider 

Continued  from  Page  11 

or  replaced,  and  familiarity  with  your 
operations  can  get  lost. 

“Once  a  deal  is  announced,  clients 
need  to  provide  clear  expectations  and 
more  actively  manage  vendor  perfor¬ 
mance,”  says  Pattacini. 

Make  sure  you  have  meaningful 
service-level  agreements  in  place.  See 
that  your  contract  allows  you  to  termi¬ 
nate  upon  a  change  in  control  of  the 
vendor  or  at  least  terminate  for  conve¬ 
nience  at  a  reasonable  fee. 

2.  Expect  your  status  to  change. 
Former  big  fish,  meet  a  bigger  pond. 
“The  customer  may  have  been  a  large 
client,  but  after  the  acquisition  they 
become  a  ‘small’  client,"  says  Pattacini. 
“This  often  translates  to  less  attention 
from  the  vendor  and  affects  key  aspects 
of  the  relationship,  like  innovation. 

3.  Think  long  term.  The  last  thing  a 
provider  is  going  to  do  is  ax  an  exist¬ 
ing  and  profitable  delivery  model,  says 
Gartner’s  Anderson.  But  find  out  where 
your  business  falls  in  terms  of  the  new 
company’s  value  proposition.  If  what 
you  were  paying  for  is  no  longer  critical 
to  the  new  organization’s  success,  that's 
cause  for  concern. 

4.  Use  your  contract  for  leverage. 

A  good  change-of-control  termination 
clause  gives  a  client  leverage  with  the 
new  supplier.  Customers  can  use  it  to 
negotiate  for  assurances  of  continuity 
among  key  outsourcing  staff  regardless 
of  reductions  in  force  or  expanding  ser¬ 
vice  levels,  says  Randall  Parks,  cochair 
of  the  global  technology  and  outsourc¬ 
ing  practice  at  Hunton  &  Williams. 

In  the  end,  the  best  plan  is  to  stay 
engaged  throughout  the  M&A  process. 
“Not  just  through  your  account  man¬ 
ager— because  that  individual  could  get 
reassigned  or  let  go— but  also  further 
up  the  chain,"  says  Pattacini.  "Clients 
should  use  this  opportunity  to  expand 
their  network  within  the  larger  vendor 
organization.”  -Stephanie  Overby 


12  JANUARY  15,  2008  |  www.cio.com 


PHOTO  BY  FAJEAN 


E©  Linux  Enterpi 

3  both  more  eas 
help  you  reduce 
teqration,  syste 


TRENDLINES 


14 


They  Like 
You  in  India, 
NotSoMuch 

in  Brazil 


workers  According  to  a  survey  of 
1,000  employees  in  Brazil,  China,  Ger¬ 
many,  India,  the  United  Kingdom  and 
the  United  States,  54  percent  regard 
senior  management  favorably.  Quite  a 
shocker,  no? 

Sixty-eight  percent  of  Indian  work¬ 
ers  gave  senior  management  the 
thumbs-up,  while  Brazilian  and  British 
employees  (47  percent)  recorded  the 
lowest  levels  of  satisfaction  with  their 
bosses,  according  to  results  gathered 
by  Kenexa  Research  Institute,  a  division 
of  HR  software  and  services  provider 
Kenexa.  (Fifty-five  percent  of  U.S. 
employees  were  positive  about  their 
leadership.) 

But  what  employees  specifically 
value  in  management  varies  by  coun¬ 
try,  according  to  the  study. 

Indian  workers  like  it  when  leaders 
are  quick  to  respond  to  marketplace 
opportunities  and  competitive  threats. 
Brazilian  workers  appreciate  manag¬ 
ers  who  place  a  strong  emphasis  on 
customer  service  and  are  transparent 
about  the  company’s  direction.  Ger¬ 
man  workers  value  leaders  who  act  on 
innovative  ideas  and  work  to  improve 
product  or  service  quality.  Chinese 
workers  are  more  likely  to  rate  senior 
management  as  effective  if  they  feel 
they  have  a  promising  future  at  the 
company  or  if  the  company  creates 
higher  quality  products  or  services 
than  the  competition.  American 
workers  attach  importance  to  being 
well-informed  about  issues  facing  the 
company.  Americans  also  care  about 
the  prompt  resolution  of  customer 
problems. 

-Stephanie  Overby 


Your  Choice: 

Moving  vs.  Extreme 
Commuting 

career  Executives  would  rather  spend  three  hours  or 
more  commuting  to  work  than  relocate  for  a  new  job.  And 
employers  are  increasingly  accommodating  their  prefer¬ 
ences,  according  to  an  online  survey  conducted  by  executive 
search  firm  Korn/Ferry  International. 

More  than  half  (55  percen  t)  of  the  198  Korn/Ferry  head¬ 
hunters  who  responded  to  the  survey  noted  that  persuading 
candidates  to  move  for  a  new  position  has  become  more  dif¬ 
ficult  today  than  it  was  the  past.  Rather  than  relocate,  execu¬ 
tives  are  opting  for  “extreme  commuting”— spending  more 
than  two  and  a  half  hours  a  day  traveling  to  and  from  work. 

The  main  reason  executives  don’t  want  to  relocate,  accord¬ 
ing  to  the  survey,  is  family.  Fifty  percent  said  they  don’t  want 
to  uproot  them.  Other  reasons  for  being  unwilling  to  relocate 
include  lifestyle  factors  (27  percent),  housing  market  costs 
(10  percent)  and  decreased  relocation  budgets  (4  percent). 

More  and  more  employers  are  open  to  negotiating  with 
executive  candidates  who  don’t  want  to  move.  Four  out  of 
five  executive  recruiters  said  companies  will  consider  stipu¬ 
lating  increased  business  travel  in  exchange  for  letting  the 
candidate  stay  put. 

The  high-tech  industry  is  the  most  receptive  to  extreme 
commuting,  according  to  respondents.  Retail  and  insurance 
employees  rank  among  the  least  receptive  to  increased  busi¬ 
ness  travel  as  an  alternative  to  relocation. 

When  companies  absolutely  require  a  candidate  to 
move  for  a  job,  64  percent  of  executive  recruiters  say  those 
employers  will  sweeten  the  deal  by  offering  more  money. 

-Meriditb  Levinson 


JANUARY  15,  2008  |  www.cio.com 


PHOTO  BY  OLIVIER  BLONDEAU 


Where  work  and  play 
intersect  at  high  velocity. 


Introducing  MOTO  Q™  Global,  one  of  AT&T's  fastest  3G  smart  devices. 
Equipped  with  GPS,  Windows  Mobile®  6,  and  a  full  multimedia  experience, 
it's  one  of  the  most  advanced  voice  and  data  devices  of  its  kind.  And  it 
comes  with  your  choice  of  a  free  "My  Q  Paks"  customized  application.  Get 
the  best  of  both  worlds  while  you're  working  and  playing  around  the  globe, 


>  Check  email,  IM,  and  browse  the  Web  at  mobile 
broadband  speeds. 

>  Access  turn-by-turn  GPS  navigation. 

>  Play  videos,  listen  to  music,  and  take  pictures. 

>  Only  AT&T's  3G  network  allows  you  to  talk  and  download  data 
simultaneously. 

>  AT&T  has  the  broadest  global  coverage  of  any  U.S.  carrier. 


MOTO  Q™  Global  only  from  AT&T 

$299" 

after  $50  mail-in  rebate  debit  card  with 
2-year  wireless  service  agreement  on  personal 
or  PDA  data  plans  and  eligible  voice  plan. 


Call  866-9-ATT-B2B  Click  wireless.att.com/motoqglobal  Visit  your  nearest  AT&T  store 


‘AT&T  also  imposes  monthly  a  Regulatory  Cost  Recovery  Charge  of  up  to  $1.25  to  help  defray  costs  incurred  in  complying  with  State  and  Federal  telecom  regulation;  State  and  Federal  Universal  Service 
charges;  and  surcharges  for  customer-based  and  revenue-based  state  and  local  assessments  on  AT&T.  These  are  not  taxes  or  government-required  charges. 

Offer  available  on  select  phones.  Coverage  not  available  in  all  areas.  Limited-time  offer.  Other  conditions  and  restrictions  apply.  See  contract  and  rate  plan  brochure  for  details.  Subscriber  must  live  and  have  a  mailing  address 
within  AT&Ts  owned  wireless  network  coverage  area.  Up  to  $36  activation  fee  applies.  Equipment  price  and  availability  may  vary  by  market  and  may  not  be  available  from  independent  retailers.  Early  Termination  Fee:  None  if  cancelled 
in  the  first  30  days;  thereafter  $175.  Some  agents  impose  additional  fees.  Unlimited  voice  services:  Unlimited  voice  services  are  provided  solely  for  live  dialog  between  two  individuals.  Off  net  Usage:  If  your  minutes  of  use  (including 
unlimited  services)  on  other  carriers'  networks  ("offnet  usage")  during  any  two  consecutive  months  exceed  your  offnet  usage  allowance,  AT&T  may  at  its  option  terminate  your  service,  deny  your  continued  use  of  other  carriers’  coverage, 
or  change  your  plan  to  one  imposing  usage  charges  for  offnet  usage.  Your  offnet  usage  allowance  is  equal  to  the  lesser  of  750  minutes  or  40%  of  the  Anytime  minutes  included  with  your  plan  (data  offnet  usage  allowance  is  the  lesser  of  6 
megabytes  or  20%  of  the  kilobytes  included  with  your  plan).  Rebate  Debit  Card:  Price  of  Motorola  Q  before  mail-in  rebate  debit  card,  data  package  purchase,  voice  plan  purchase,  and  with  2-year  contract  is  $349.99.  Allow  10  to  12  weeks 
for  fulfillment  Card  may  be  used  only  in  the  US.  and  is  valid  for  120  days  after  issuance  date  but  is  not  redeemable  for  cash  and  cannot  be  used  for  cash  withdrawal  at  ATMs  or  automated  gasoline  pumps.  Card  request  must  be  postmarked 
by  3/31/08;  you  must  be  a  customer  for  30  consecutive  days  to  receive  card.  Sales  tax  calculated  based  on  price  of  unactivated  equipment  Certain  email  systems  may  require  additional  hardware  and/or  software  to  access.  Motorola  and 
the  Stylized  M  Logo  are  registered  in  the  US.  Patent  and  Trademark  Office.  ©Motorola,  Inc.  2007.  ©2007  Microsoft  Corporation.  Ail  rights  reserved.  Microsoft  and  Windows  Mobile  are  either  registered  trademarks  ortrademarks  of  Microsoft 
Corporation  in  the  US.  and/or  other  countries.  Service  provided  by  AT&T  Mobility.  ©2008  AT&T  Intellectual  Property.  All  rights  reserved.  AT&T,  the  AT&T  logo,  and  all  other  marks  contained  herein  are  trademarks  of  AT&T  Intellectual  Property 
and/or  AT&T  affiliated  companies. 


'V.W.V.V 


i mmm 


The  server  room  can  be  a  cold  and  lonely  place 
We  can  definitely  help  with  the  lonely  part. 


As  you  sit  there  among  the  humming  and  buzzing  of  servers,  the  miles  of  cables  and  the  flashing  of  tiny  little 
lights,  know  this  -  you  are  not  alone.  At  CDW,  we  provide  you  with  a  personal  account  manager  who  knows 
your  business  and  the  IT  challenges  you  face.  We  make  sure  your  most  difficult  questions  get  answered  by  highly 
trained  technology  specialists  who,  quite  frankly,  are  ridiculously  smart.  And  we  offer  a  full  range  of  custom 
configuration  services  that  can  save  you  valuable  time  and  money.  With  all  this,  plus  an  unfathomable  number 
of  products  from  the  top  names  in  the  industry,  you  should  feel  quite  comfortable  knowing  CDW  has  everything 
you  need,  when  you  need  it.  And  as  always,  we're  only  a  phone  call  away. 


CDW.com  800.399.4CDW 


©2008  CDW  Corporation 


The  Right  Technology.  Right  Away. 


pT 

1 

i 

r|| 

iMi 

mi ! 

i 

i 

i 

i 

*  •  > 

bIj 

■ 

t 

i 

•! 

4m 

fa 

firfmiuU 

1^4.  \mm 

•  itumiy 

ESSENTIAL 


Edited  by 

Laurianne  McLaughlin 

lmclaughlin@cio.com 


Enterprise 
users  can  get 
lost  in  storms 
of  “reply-all” 
e-mails  while 
trying  to 
manage 
projects. 
Blogs  offer  a 
better  way. 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


Blogs  Clean  Up  Project 
Management  Messes 


BY  C.G.  LYNCH 


BLOGGING  |  Eugene  Roman,  group  president  of  systems  and  technology  at  Bell 
Canada,  knows  how  to  play  a  blog.  An  enterprise  blog,  that  is.  And  he  has  taught  his 
employees  to  play  a  blog  so  well  that  they  often  have  “jam  sessions”— internal  blog 
forums  where  groups  of  employees  discuss  new  products  and  work  to  streamline  effi¬ 
ciencies  at  the  $18  billion  telecom.  “It’s  like  grabbing  some  instruments  and  going  into 
a  garage,”  Roman  says. 

Except  Bell  Canada’s  garage  is  virtual  and  lives  on  the  corporate  intranet.  The  primary 
instrument,  a  lightweight  enterprise  blogging  tool,  lets  coworkers  blog  about  topics  from 
figuring  out  ways  to  cut  energy  costs  to  conceiving  new  products  for  Bell  Canada,  whose 
distributed  workforce  stretches  from  the  Atlantic  to  the  Pacific.  (Roman  chose  Telligent’s 
Community  Server  2.0  and  did  some  in-house  development  for  the  blog  effort.) 

Roman’s  embrace  of  blogs  shows  that  he  understands  an  ugly  secret  that  IT  depart¬ 
ments  all  over  North  America  don’t  want  to  admit:  E-mail,  used  by  itself,  just  doesn’t  cut 
it  anymore  for  project  management  and  interoffice  communication.  People  get  lost  in  “CC 


www.cio.com  |  JANUARY  15,  2008  17 


essential  technology 


storms”  of  reply-all  e-mails  that  over¬ 
whelm  users  trying  to  manage  projects 
or  collaborate  on  new  business  oppor¬ 
tunities.  “There’s  definitely  a  dark  side 
to  e-mail,”  Roman  says.  “We’ve  all  had 
it  for  20  years,  and  you’d  think  we 
could  get  it  right.” 

But  most  companies  haven’t  got¬ 
ten  it  right,  and  recent  research  indi¬ 
cates  they’re  looking  for  alternatives. 
A  report  earlier  this  year  by  consul¬ 
tancy  Forrester  Research  revealed 
that  54  percent  of  IT  decision  makers 
expressed  an  interest  in  blogs.  Of  the 
companies  that  had  piloted  or  imple¬ 
mented  blogs,  nearly  two-thirds  (63 


who  have  championed  the  technology, 
you’ll  need  enterprise-worthy  blog¬ 
ging  tools  and  test  group  members 
who  become  believers  and  ideally  will 
evangelize  the  technology. 

The  Reputation  Hurdle 

One  starting  issue:  Blogs  still  suffer  a 
reputation  problem  within  large  enter¬ 
prises  (and  even  small  and  midsize 
businesses),  analysts  say.  Many  people 
carry  a  narrow  view  of  what  blogs  can 
accomplish.  “People  are  hung  up  on 
this  concept  of  the  blog  as  a  diary  and 
as  an  external  marketing  medium,” 
says  Charman. 


“Traditional  enterprise  solutions 
were  designed  to  keep  IT  happy. 
They’re  not  usually  designed  with  any 
thought  to  the  user,  like  a  blog  is.” 

-Suw  Charman,  social  software  consultant 


percent)  said  they  used  them  for  inter¬ 
nal  communications.  Fifty  percent  said 
they  used  blogs  for  internal  knowledge 
and  content  management— and  these 
companies  are  leading  the  way  of  the 
future,  analysts  say. 

If  you’re  just  now  preparing  to  take 
the  blog  plunge,  changing  decades  of 
work  habits  for  a  generation  of  infor¬ 
mation  workers  tethered  to  e-mail 
won’t  be  easy.  Blogs  also  remain  a 
tough  sell  for  traditional  IT  leaders 
who  value  a  command-and-control, 
top-down  hierarchy  when  it  comes 
to  their  infrastructure.  “Traditional 
enterprise  solutions  were  designed  to 
keep  IT  happy,”  says  Suw  Charman,  a 
social  software  consultant  who  helps 
companies  understand  the  use  of  blogs 
and  wikis  in  business.  “They’re  not 
usually  designed  with  any  thought  to 
the  user,  like  a  blog  is.” 

For  implementation  success,  say 
analysts  and  practitioners  like  Roman 


At  a  large  company,  the  people  most 
likely  to  have  this  narrow  view  of  blogs 
are  the  C-level  executives  themselves. 
How  can  you  combat  this  misconcep¬ 
tion?  In  the  beginning  of  a  blog  effort. 
Bell  Canada’s  Roman  says,  companies 
should  consider  avoiding  the  word  blog 
altogether  and  use  a  euphemism.  “Call¬ 
ing  it  something  like  an  idea  board  can 
be  good  start,”  he  says.  “That’s  less 
threatening  than  saying,  ‘I  want  to  start 
a  virtual  water  cooler  where  people  can 
blog  and  discuss  new  products.’” 

It’s  also  important  to  address  secu¬ 
rity  and  compliance  issues  from 
the  start,  Roman  notes.  Bell  Canada 
addressed  those  concerns  by  building 
the  blog  behind  the  corporate  firewall. 
Remote  workers  can  access  it  only 
through  the  corporate  intranet  using 
a  virtual  private  network  (VPN).  “The 
executives  are  immediately  concerned 
about  legality,”  he  says.  “So  you  lay  out 
what  the  rules  of  engagement  will  be. 


Blogging 

Toolbox 

The  nitty-gritty  implementation 
of  a  blog  isn’t  hard.  Neither  is 
navigating  the  selection  of  tools. 

In  fact,  line-of-business  leaders 
who  want  to  start  a  blogging  effort 
without  IT’s  help  need  only  a  credit 
card  and  a  Web  browser  to  deploy 
a  hosted  blogging  service  (from  a 
vendor  such  as  Automattic). 

For  companies  taking  the  more 
proactive  approach  to  enterprise 
blogging,  says  Jonathan  Edwards, 
a  Yankee  Group  analyst,  pure-play 
blogging  vendors  like  Six  Apart 
(known  for  its  Movable  Type  prod¬ 
ucts)  make  a  natural  starting  point. 
Blogging  is  bread  and  butter  for 
these  vendors,  which  have  built 
enterprise-grade  blogs  and  related 
tools  with  simple  user  interfaces, 
data  integration  and  strong  secu¬ 
rity.  Also  worth  considering  in  this 
group:  Blogtronix— a  platform  that 
integrates  blogs  with  wikis,  RSS, 
communities,  analytics  and  corpo¬ 
rate  social  networking— and  Jive 
Software’s  Clearspace  suite,  which 
includes  blogs,  discussion  and  wiki 
tools.  If  you  don’t  want  a  hosted 
solution  because  of  compliance 
concerns,  some  of  these  vendors 
also  offer  on-premises  solutions. 

It’s  just  a  matter  of  time, 

Edwards  says,  before  vendors  like 
Microsoft  and  IBM  capitalize  on 
their  blog  capabilities  by  pairing 
them  with  a  suite  of  Web  2.0  appli¬ 
cations.  Today,  IBM  offers  a  blog 
function  in  its  Lotus  Connections 
suite  of  Web  2.0-inspired  technolo¬ 
gies,  and  Microsoft’s  Sharepoint 
contains  a  blog  template. 

That  said,  don't  rule  out  the  blog¬ 
ging  specialists  right  now,  since 
they’ve  held  the  keys  to  innovation 
and  have  developed  user-friendly 
interfaces,  Edwards  says.  -C.G.L. 


18 


JANUARY  15,  2008  |  www.cio.com 


Your  potential.  Our  passion  ® 

Microsoft 


rtiTiwri” 


nmnttnmmrmmnmmti 


r  t  Mm  iff  ffff  wwrmfnwffffniit 


MMii 


A  Global  Brand  Building  on  SAP®  Software. 
Running  on  Microsoft  SQL  Server  2005. 


Global  consumer  goods  leader  Unilever  migrated  its  SAP  ERP 
application  in  Canada  to  SQL  Server™  2005  running  on  Microsoft® 
Windows  Server®  2003.  Now  they're  ready  to  scale  up  by  200%  and 
maintain  99.999%  uptime.*  See  how  at  microsoft.com/bigdata 


‘Results  not  typical,  and  are  based  on  use  with  Windows  Server  2003  Enterprise  Edition.  Availability 
is  dependent  on  many  factors,  including  hardware  and  software  technologies,  mission-critical 
operational  processes,  and  professional  services. 


ESSENTiALtechnology 


That  makes  them  more  comfortable 
with  going  forward.” 

Start  Small 

While  blogs  are  typically  most  useful 
when  many  users  participate,  analysts 
and  practitioners  say  you’re  better  off  to 
start  small.  Blogs  work  well  when  they 
catch  on  virally,  and  you  need  to  intro¬ 
duce  the  idea  to  the  right  test  group, 
which  will  then  evangelize  the  idea  to 
the  rest  of  the  enterprise.  Sometimes, 
that  test  group  has  already  given  up 
on  enterprise  tools,  as  Dr.  Mark  Green- 
halgh  recently  learned.  Greenhalgh,  a 
family  physician,  sought  a  test  group 
for  his  social  networking  portal  (which 
includes  a  blogging  feature)  launching  as 
part  of  an  initiative  funded  by  the  United 
Kingdom’s  Department  of  Health.  The 
best  candidate  turned  out  to  be  what  IT 
managers  would  call  a  “rogue  IT”  group 
(one  that  seeks  out  a  consumer-grade 
technology  to  help  do  its  jobs  when 
enterprise  tools  disappoint). 

The  Public  Health  Commissioning 
Network— a  group  of  200  physicians 
that  allocates  scarce  funds  for  drugs, 
technology  and  research— had  taken 
to  using  a  Yahoo  discussion  forum  to 
avoid  long,  tangled  e-mail  threads. 
While  the  forum  was  password  pro¬ 
tected,  Greenhalgh  says  the  doctors 
needed  something  better.  “They  have 
pretty  sensitive  talks  and  they  need  to 
keep  it  reasonably  quiet,”  he  says. 

The  Public  Health  Commissioning 
Network  and  two  other  groups  will 
serve  as  a  test  group  for  Greenhalgh. 
He  hopes  to  make  them  advocates  that 
will  encourage  other  physicians  to  get 
on  board.  “I’m  giving  them  a  platform 
that’s  more  dedicated  to  their  needs,” 
he  says.  “We  need  to  then  bring  people 
into  these  communities  so  they  can  gain 
momentum.” 

Bell  Canada’s  Roman  also  success¬ 
fully  used  pilot  groups  for  his  blogging 
platform  and  other  Web  2.0  technologies. 
“The  test  group  is  very  critical,”  he  says. 
“You  need  a  friendly  test  group.  You  want 

20  JANUARY  15,  2008  |  www.cio.com 


“Callingthe  blog  something  likean  idea 
board  can  be  good  start.  That’s  less 
threateningthan  saying,  1  wantto  start 
a  virtual  water  cooler  where  people 
can  blog  and  d  iscuss  new  products.'  ” 

-Eugene  Roman,  Bell  Canada  group  president  of  systems  and  technology 


them  to  give  you  the  critique,  but  they  also 
become  the  champion  and  say,  Wow,  this 
is  cool,  and  tell  their  colleagues.” 

This  blog  effort,  dubbed  “ID-ah”  by 
Bell  Canada,  was  first  used  by  a  few 
hundred  employees  in  2006,  with  a  full 
rollout  companywide  in  early  2007.  The 
“jam  sessions”  started  in  2007  as  well. 

To  date,  more  than  1,000  ideas  have 
been  submitted  by  employees,  3,000 
comments  shared  about  the  ideas,  and 
15,000  employees  (out  of  40,000  Bell 
Canada  employees)  have  voted,  Roman 
says.  Of  the  1,000  ideas,  27  of  the  top- 
voted  ideas  have  been  “harvested”  for 
review  in  the  past  six  months  and  12 
have  been  implemented,  he  adds. 

Curing  the  E-Mail  Addicts 

For  all  the  hype  about  Web-based  tech¬ 
nologies  permeating  the  enterprise,  not 
all  employees  love  consumer  IT.  Some 
people  cling  to  their  corporate  e-mail 
boxes  as  if  they  were  cigarettes:  They’re 
hopelessly  addicted.  “We’re  all  so  accus¬ 
tomed  to  e-mail.  You  can’t  change  the 
way  people  work  overnight,”  says  Jona¬ 
than  Edwards,  a  Yankee  Group  analyst. 

One  way  to  wean  employees  from 
e-mail  communications:  Don’t  fight  it 
entirely.  The  sister  technology  to  a  blog, 
Really  Simple  Syndication  (RSS),  can 
help.  At  Bell  Canada,  when  a  manager 


Future  of  Business  Blogging 


How  will  businesses  use  internal 
blogs  next?  Check  out  a  Q&A  WITH 
AUTOMATTIC  CEO  TONI  SCHNEIDER  at 
www.cio. com/article/158900. 

cio.com 


decides  to  start  a  blog  jam,  he  or  she  uses 
an  RSS  feed  to  push  an  invite  message  to 
the  desired  participants’  e-mail  inboxes. 
In  the  e-mail,  employees  can  click  on  a 
link  that  leads  them  to  the  jam  session. 
The  message  gives  them  48  hours  to 
comment  on  the  topic,  making  it  harder 
for  them  to  throw  the  invite  aside. 

Roman  also  has  very  specific  guide¬ 
lines  for  how  people  conduct  themselves. 
One  of  the  drawbacks  to  online  commu¬ 
nication  formats  like  blogs  is  that  they 
encourage  passive-aggressive  behavior 
and  other  kinds  of  what’s  now  com¬ 
monly  called  Web  rage.  People  might  feel 
emboldened  to  say  something  to  another 
colleague  that  they’d  never  say  in  a  face- 
to-face  meeting  or  on  the  phone.  “There 
won’t  be  any  slamming  on  our  blogs,” 
Roman  says.  “We  make  that  very  clear 
when  people  log  on  for  the  first  time.” 

No  Is  Not  a  Good  Answer 

Teaching  employees  to  use  blog-editing 
tools  isn’t  hard,  since  they  essentially 
look  like  a  lightweight  word  processor. 
Instead,  the  challenge  comes  in  remind¬ 
ing  them  to  tag  their  posts  with  key¬ 
words  that  will  help  with  later  search 
and  discovery  needs. 

Need  more  convincing  on  the  value 
of  blogs?  Remember,  if  companies  don’t 
adopt  blogging  technologies  for  the 
enterprise,  line-of-business  heads  are 
just  a  credit-card  purchase  away  from 
a  hosted  offering.  BID 


Staff  Writer  C.G.  Lynch  can  be  reached  at 
clynch@cio.com.  To  comment  on  this  arti¬ 
cle,  go  to  www.cio.com/article/163250 . 


HOTEL- 

ROYAL 

01' 

CAP 


■**  *■!>»» 


OUTSOURCING  SERVICES 

e  are  convinced  that  outsourcing  gives  you  the  freedom  to  concentrate  on  core  business 
rgets.  Which  is  why  we  offer  you  the  opportunity  to  entrust  your  I.T.  system  with  us  without 
sing  control.  Because  in  the  right  hands,  your  I.T.  system  can  become  a  performance  lever 
at  increases  your  freedom  of  action. 

sit  us  at  www.capgemini.com 


apgemini 


CONSULTING. TECHNOLOGY.  OUTSOURCING 


Mid-Market  |  Compliance 


If  you  want  to  transact  business  with  credit  cards, 
you  have  to  follow  the  rules— the  payment  card 
industry  security  standards.  Companies  that  don’t 
comply  face  fines  or  worse.  So  why  aren’t  more 
mid-market  merchants  already  in  compliance? 


BY  MICHAEL  JACKMAN 


A  YEAR  AFTER  TJX  COMPANIES  SUFFERED  WHAT  IS  BELIEVED  TO  BE 
the  largest  identity  theft  to  have  hit  a  retailer,  credit  card  companies  have  laid  down 
the  law  for  any  merchant  that  transacts  business  with  plastic.  Beginning  Dec.  31, 
2007,  all  businesses  that  handle  between  1  million  and  6  million  credit  card  trans¬ 
actions  a  year  (primarily  mid-market  companies)  were  supposed  to  be  compliant 
with  the  payment  card  industry’s  new  Data  Security  Standard  (PCI  DSS). 

Companies  that  fail  to  comply  with  the  standard’s  12-point  specification  risk  thou¬ 
sands  of  dollars  in  fines  (from  Visa,  $5,000  to  $25,000  a  month),  though  it’s  hard 
to  predict  what  noncompliance  will  really  cost  because 
the  penalty  structure  is  complex.  Ultimately,  Visa,  Mas- 

::  Security  requirements  for 

terCard  and  the  other  payment  card  companies  could  crecjit  card  transactions 

revoke  merchants’  rights  to  make  credit  card  transac-  ::  Challenges  to  compliance 


22  JANUARY  15,  2008  |  www.cio.com 


PHOTO  BY  CLAUDIO  VAZQUEZ 


National  Aquarium  in 
Baltimore  CTO  Hans 
Keller  (beside  a  tank 
holding  a  freshwater 
whipray):  “PCI  gave  us  a 
great  security  checklist.’ 


Mid-Market 


Compliance 


tions— a  mortal  wound  for  any  con¬ 
sumer-oriented  business.  And  yet 
despite  the  threat  of  penalties,  experts 
believe  that  most  midsize  companies 
won’t  make  the  deadline  (larger  compa¬ 
nies  with  a  higher  transaction  volume 
are  already  supposed  to  be  compliant). 

Compliance  is  hardly  rocket  sci¬ 
ence— or  is  it?  Directives  to  use  fire¬ 
walls  and  change  vendor-supplied 
default  passwords  are  simply  secu¬ 
rity  best  practices.  But  in  other  areas, 
merchants  struggle  to  interpret  the 


to  more  than  100  million  user  accounts, 
from  customer  transactions  going  back 
to  2002. 

According  to  The  Wall  Street  Jour¬ 
nal,  the  thieves  may  have  begun 
their  odyssey  in  a  van  parked  near 
a  St.  Paul,  Minn.,  Marshalls  store, 
at  which  they  pointed  an  antenna 
and  picked  up  wireless  data  beamed 
across  the  store  from  registers  and 
handheld  scanners.  The  intercepted 
data  allowed  thieves  to  hack  the  main 
network  in  Framingham,  Mass.,  and 


tasks  of  qualifying  and  managing  the 
auditors  who  must  certify  merchants’ 
compliance  (known  as  qualified  secu¬ 
rity  assessors,  or  QSAs),  and  qualifying 
approved  scanning  vendors,  who  test 
system  security  by  scanning  for  open 
ports  and  potential  entry  points  in  a 
network.  The  council  is  also  certifying 
labs  to  test  and  validate  the  security  of 
pin-entry  devices. 

Despite  any  relief  merchants  may 
feel  by  being  held  to  only  one  merged 
standard,  DSS  remains  a  throbbing 


Many  consultants  claim  to  be  working  on  behalf  of  PCI,  but 
“none  of  them  will  sign  your  audit  questionnaire.  If  they  won’t 
stand  behind  me  in  case  of  a  breach,  why  should  I  pay  them  any 

money  in  the  first  place?"  -hans  KELLER,  cto,  national  aquarium  in  BALTIMORE 


standards,  haggling  with  auditors, 
consultants  and  sometimes  the  PCI 
Security  Standards  Council  itself  over 
exactly  how  to  protect  cardholder  data. 
And  they  often  have  to  reach  deep  into 
cash-strapped  pockets  to  come  up  with 
the  funds  for  conducting  a  top-to-bot- 
tom  security  review. 

Brian  Shniderman,  a  director  at 
Deloitte  Consulting,  estimates  that 
40  percent  to  45  percent  of  merchants 
might  need  to  overhaul  everything 
from  access  management,  ID  control 
and  physical  security,  to  infrastructure, 
firewalls  and  antivirus  measures. 

“The  industry  is  not  sitting  in  a  sta¬ 
ble  position  with  regard  to  PCI  stan¬ 
dards,”  he  says. 

LESSONS  FROM  TJX 

Version  1.1  of  the  PCI  Data  Security 
Standard  (PCI  DSS  1.1)  was  on  the 
books  in  January  2007,  when  TJX 
Companies— operator  of  A.J.  Wright, 
Bob’s  Stores,  HomeGoods,  Marshalls 
and  T.J.  Maxx— announced  that  hackers 
had  breached  its  network.  Estimates  of 
the  damage  vary,  but  data  thieves  may 
have  copped  anywhere  from  45  million 


allowed  them  to  download  megabytes 
of  stored  customer  records.  At  least 
three  class-action  lawsuits  seeking 
damages  on  behalf  of  customers  and 
banks  are  pending  in  federal  or  state 
courts.  (TJX  is  awaiting  federal  court 
approval  of  a  proposed  settlement 
with  customers  worth  an  estimated 
$256  million.  On  Nov.  30,  2007,  the 
company  announced  a  $40.9  million 
settlement  with  Visa  through  which 
it  would  pay  banks  for  their  claimed 
losses,  provided  banks  agree  not  to 
pursue  further  legal  action.) 

Among  the  11  security  deficiencies 
with  which  TJX  was  charged:  It  failed 
to  comply  with  the  PCI  standards 
for  data  and  computer  security.  This 
global  security  standard  is  a  product 
of  the  PCI  Security  Standards  Council, 
created  in  September  2006  by  the  five 
major  card  brands:  American  Express, 
Discover  Financial  Services,  JCB,  Mas¬ 
terCard  Worldwide  and  Visa.  Accord¬ 
ing  to  Bob  Russo,  the  PCI  council’s 
general  manager,  the  group’s  main 
goal  was  to  create  “one  answer  for  all 
five  brands.”  It  also  seeks  to  educate 
companies  and  has  taken  on  the  vital 


toothache  for  many  CIOs  in  charge  of 
payment  card  transaction  systems. 
Compliance,  verified  by  stated  dead¬ 
lines,  is  mandatory.  Fines  threaten, 
but  it’s  hard  for  merchants  to  predict 
just  what  they  might  cost  because 
they  are  levied  by  the  individual  card 
companies  that  have  their  own  rules 
and  rates  (Visa  may  fine  one  amount 
and  MasterCard  another).  Complicat¬ 
ing  matters  further,  these  fines  are 
not  directly  charged  to  merchants  but 
to  their  card-processing  banks.  The 
banks  then  choose  to  either  pass  them 
along,  absorb  them  or,  in  some  cases, 
even  increase  them. 

Other  punitive  measures  are  pos¬ 
sible,  including  having  card  process¬ 
ing  privileges  revoked  or,  as  in  the  TJX 
example,  justification  for  lawsuits. 

Most  analysts  agree  that  the  major¬ 
ity  of  companies  are  not  yet  certified, 
though  the  exact  numbers  are  hard  to 
pin  down.  In  an  October  news  release, 
Visa  announced  that  65  percent  of  the 
largest  merchants  had  been  verified 
as  compliant.  Shniderman  of  Deloitte 
Consulting  puts  the  level  for  midsize 
merchants  at  43  percent. 


24  JANUARY  15,  2008  |  www.cio.rom 


©2007  Toshiba  America  Business  Solutions,  Inc.  Electronic  Imaging  Division.  All  rights  reserved. 


\ 


'M 


p 


FINANCE  &  IT 

WORKING  TOGETHER  TO  KEEP  THE  BAD  GUYS  OUT 


TOSHIBA  MFPs  bring  a  perfect  balance  of  security  and  affordability  into  the  workplace.  The  folks  in  IT  will  love 
the  new  Smartcard  technology  because  it  ensures  user  authentication  with  an  ID  card.  And  the  good  people  in  finance 
will  feel  safe  in  knowing  that  Toshiba  MFPs  exceed  all  government  mandates  lor  controlling  access  and  data  integrity. 
Talk  about  a  secure  relationship.  Visit  us  at  copiers.toshiba.com  to  download  our  white  paper  on  security. 


TOSHIBA  n 

Leading  Innovation  »>  secuitSMFP 


Mid-Market 


Compliance 


You’ll  never  be  finished  with  compli¬ 
ance.  Even  after  your  company  meets 
the  current  standards,  you  can  expect 
new  requirements  to  address  new 
threats.  And  with  them,  new  deadlines. 


COMMON  SENSE 
STANDARDS 

So  merchants  have  little  choice.  But 
how  good  is  the  standard  and  how 
bad  are  the  obstacles  to  achieving  the 
sought-after  verification?  Hans  Keller, 
CTO  (since  1999)  of  the  National  Aquar¬ 
ium  in  Baltimore,  says  that  most  of  the 
requirements  are  common  sense.  “A  lot 
of  pieces  of  PCI  are  things  you  should 
be  doing.”  The  PCI  council’s  Russo  con¬ 
curs.  “There  really  isn’t  anything  mys¬ 
terious  about  these  standards.  They  are 
all  security  best  practices.” 

Those  who  gritted  their  teeth  over 
earlier  standards,  such  as  Visa’s 
Account  Information  Security  and 
Cardholder  Information  Security  Pro¬ 
gram,  or  MasterCard’s  Site  Data  Pro¬ 
tection— and  who  then  found  the  first 
version  of  the  PCI  security  standard 
confusing— should  at  least  find  the  lat¬ 
est  incarnation  much  clearer.  Russo 
says  that  among  the  issues  solved  by 
version  1.1  are  inconsistencies  in  ter¬ 
minology  and  language.  For  instance, 
words  like  the  vague  “periodically”  and 
“regularly”  have  been  replaced  with 


specifics,  such  as  annually,  quarterly 
and  monthly.  Other  changes  ironed  out 
distinctions  between  cardholder  data, 
which  merchants  store  and  must  pro¬ 
tect,  and  data  so  sensitive  that  it  should 
never  be  stored. 

IMPLEMENTATION 

CHALLENGES 

Neat  as  that  sounds,  don’t  put  away 
the  aspirin  yet.  Unless  you  run  a  large 
business,  you’ll  face  several  implemen¬ 
tation  challenges. 

1.  Tight  budgets.  While  larger  com¬ 
panies  (which  PCI  calls  Level  1)  often 
have  dedicated  security  resources,  mid¬ 
size  merchants  may  find  themselves  in 
that  jaw-clenching  budget  bind. 

2.  Complex  environments.  Cathy 


Hotka,  a  retail  technology  consultant, 
says  even  mid-market  merchants  may 
be  running  more  than  500  applica¬ 
tions  at  a  time  in  “highly  custom¬ 
ized  environments  with  handwritten 
code”  that  has  been  around  for  years. 
Old  code  is  often  poorly  documented, 
and  even  small  changes  are  compli¬ 
cated-just  as  they  were  when  fixing 
the  Y2K  bug.  The  DSS  standards  are 
more  comprehensive  than  replacing 
two-digit  years  with  four-digit  years, 
and  they  constantly  change.  Hotka 
compares  complying  to  PCI  with  “fix¬ 
ing  the  windshield  of  a  plane  while  it’s 
in  the  air.” 

3.  Conflicting  interpretations.  Indi¬ 
vidual  auditors  may  interpret  the  rules 
differently.  “The  auditor  you  bring  in 


Why  Should  Merchants  Keep  Credit  Card  Data? 

Retail  industry  wants  to  retain  bare  minimum  of  customer  financial  information 


WHO  WOULD  QUESTION  the  assump¬ 
tion  that  retailers  should  protect  their 
customers’  credit  card  data?  The  retail¬ 
ers.  As  businesses  that  take  credit 
cards  have  embarked  on  the  costly  trek 
toward  the  payment  card  industry's 
(PCI)  compliance,  some  members  of 
the  National  Retail  Federation  (NRF), 
an  industry  trade  association,  are  won¬ 
dering  why  this  security  effort  has  fallen 
into  their  laps. 

Last  October,  David  Hogan,  SVP  and 
CIO  of  the  NRF,  challenged  the  basic 
assumption  behind  PCI’s  new  Data 
Security  Standard  (DSS)— that  retail¬ 
ers  need  to  keep  credit  card  data  at  all. 


in  a  letter  to  PCI  Security  Standards 
Council  General  Manager  Bob  Russo, 
Hogan  suggested  that  if  credit  card 
companies  didn't  force  merchants  to 
store  this  information  in  the  first  place, 
then  merchants  wouldn't  have  to  invest 
“hundreds  of  millions  of  dollars  annu¬ 
ally”  and  “jump  through  extraordinary 
hoops”  to  protect  it. 

Instead  of  keeping  "reams  of  data,” 
Hogan  writes,  retailers  could  store  just 
the  authorization  code  given  at  the  time 
of  sale,  along  with  part  of  the  receipt- 
stuff  no  data  thief  could  use.  With  no 
credit  card  data  to  steal,  hackers  would 
look  elsewhere.  As  for  merchants, 


they’d  still  retain  enough  evidence  of  a 
valid  transaction  to  serve  their  custom¬ 
ers,  such  as  by  processing  returns. 

And  at  what  targets  would  hackers 
have  to  aim,  with  no  credit  card  info  in 
the  stores?  At  credit  card  companies 
and  banks,  Hogan  writes,  which  could 
secure  their  data  however  they  wished. 
In  other  words,  it’s  their  data— let  them 
take  the  responsibility  for  it. 

In  a  statement,  the  PCI  Security 
Standards  Council  says  that  the  request 
needs  to  be  taken  up  with  the  card  com¬ 
panies  themselves,  though  the  council 
says  it  would  respond  after  reviewing 
the  letter.  -M.J. 


26  JANUARY  15,  2008  |  www.cio.com 


Sun  xVM:  Open,  Free,  Supported 


The  Sun  xVM  family  brings  together  virtualization  and 
management  to  help  better  control  both  physical  and 
virtualized  assets. 

With  the  new  SunT"xVM  Server  and  Sun  xVM  Ops  Center 
you  can  help  simplify  management,  improve  utilization 
and  cut  costs  across  your  entire  IT  infrastructure.  And  xVM 
can  help  you  consolidate  and  manage  Windows,  Linux, 
and  Solaris?  On  any  vendor's  server  or  storage  system. 
Don't  get  trapped  by  proprietary  virtualization  solutions. 

Embrace  freedom.  Learn  more  at  sun.com/xVMfreedom 

Call  your  local  Sun  Sales  Representative,  Sun  Authorized  Partner 
or  (888)  516-9362. 


Don’t  Get  Trapped  by  a 
Proprietary  Virtualization 


4® 


Windows 


soLans 


©  2007  Sun  Microsystems,  Inc.  All  rights  reserved.  All  logos  and  trademarks  are  property  of  their  respective  owners. 


Mid-Market 


Compliance 


today  will  tell  you  something  differ¬ 
ent  than  the  auditor  you  bring  in  next 
week,”  says  the  National  Aquarium  in 
Baltimore’s  Keller.  Disagreements  can 
arise  over  the  proper  way  to  divide  up 
networks  and  secure  them  with  fire¬ 
walls. 

HOW  ONE  CIO  IS  MEETING 
THE  PCI  COMPLIANCE 
CHALLENGE 

Though  it  qualifies  as  a  small  merchant, 
the  National  Aquarium  in  Baltimore 
(which  earns  about  $35.8  million  in 
annual  revenue)  has  encountered  most 
of  these  midlevel  difficulties.  Reporting 
to  the  CFO,  Keller  oversees  an  IT  staff 
of  10.  He’s  responsible  for  application 
development  as  well  as  support  for 
500  users  and  300  PCs.  Keller  devotes 
approximately  1  percent  of  his  annual 
$1.5  million  IT  budget  to  PCI  compli¬ 
ance. 

The  aquarium’s  road  to  compliance 
began  in  September  2006,  when  its 
merchant  bank  asked  for  an  update. 
Merchant  banks  process  payment 
cards  and  are  the  middlemen  between 
the  payment  card  companies  and  the 
merchants. 

The  12  top-level  standards  quickly 
subdivide  into  finer  levels  of  detail. 
For  instance,  Requirement  8:  “Assign 
a  Unique  ID  to  Each  Person  with 
Computer  Access”  contains  five  sub¬ 
steps,  with  step  8.5  divided  into  16 
more.  In  response  to  this  requirement, 


Common  Sense  Required 

Payment  card  industry  security  standards 
provide  a  list  of  best  practices 


Build  and  Maintain  a 

Secure  Network 

►  Install  and  maintain  a  firewall. 

►  Change  vendor-supplied  defaults 
for  system  passwords  and  other 
security  parameters. 

Protect  Cardholder  Data 

►  Protect  stored  transaction  data. 

►  Encrypt  data  transmitted  across 
open,  public  networks. 

Maintain  a  Vulnerability 

Management  Program 

►  Keep  antivirus  software 
updated. 

►  Develop  and  maintain  secure 
systems  and  applications. 


Keller  moved  his  admissions  system 
away  from  one  common  “extremely 
restricted”  log-in  used  by  everyone 
working  the  ticket  booth,  to  separate 
IDs  for  each  employee.  Internally,  he 
now  tracks  users  by  PC  as  well  as  by 
their  job  function,  so  that  their  network 
access  across  the  system  can  be  logged. 
As  required  by  PCI,  passwords  change 
every  90  days.  Keller  also  added  an 
intrusion  detection  system  and  revised 
information  security  policies  to  make 
them  more  easily  understandable. 

Keller  decided  to  do  his  own  compli- 


Implement  Strong 

Access  Control  Measures 

►  Restrict  access  to  cardholder 
data  by  business  need  to  know. 

►  Assign  a  unique  ID  to  each  per¬ 
son  with  computer  access. 

►  Restrict  physical  access  to 
cardholder  data. 

Monitor  and  Test  Networks 

►  Track  and  monitor  all  access  to 
network  resources  and  card¬ 
holder  data. 

►  Regularly  test  security  systems 
and  processes. 

Maintain  an  Information 

Security  Policy 


ance  work  in-house,  but  it  wasn’t  his  first 
choice.  First  he  approached  consultants 
specializing  in  PCI  DSS,  but  he  had  dif¬ 
ficulty  finding  a  firm  willing  to  take  full 
accountability  for  its  decisions. 

Many  consultants  claim  to  be  work¬ 
ing  on  behalf  of  PCI,  but  “none  of  them 
will  sign  next  to  you  on  your  audit 
questionnaire,”  explains  Keller.  “So  if 
they  won’t  stand  behind  me  and  sign 
on  the  line  in  case  of  a  breach,  why 
should  I  pay  them  any  money  in  the 
first-place?” 

Keller  does  use  an  approved  QSA, 


Leader  in  Middleware 


1.  " The  Forrester  Wave™:  Application  Server  Platforms,  Q3  2007,"  Forrester  Research  Inc.,  July  11,  2007. 


2.  SOA  World  Magazine  2007  Reader's  Choice  Awards,  July  3,  2007. 


Fishnet  Security,  for  the  quarterly 
security  scans  and  penetration  test¬ 
ing  required  by  PCI  for  all  merchants 
with  more  than  10,000  transactions 
a  month.  The  results  are  forwarded 
to  the  National  Aquarium’s  merchant 
bank.  As  the  company  develops  new 
applications,  the  QSA  consultant  will 
also  analyze  the  code  for  security  com¬ 
pliance  as  part  of  the  development  pro¬ 
cess.  The  requirement  to  test  new  code 
has  a  deadline  of  June  30. 

When  it  came  to  interpreting  the 
standard,  one  area  in  which  he  and  the 
auditors  disagreed  was  with  the  proper 
way  to  secure  a  proprietary  wireless 
bridge  between  two  buildings. 

“Some  [auditors]  will  say  even 
though  there’s  no  credit  card  traffic 
passing  through  that  it  still  needs  to  be 
segmented  off  with  hardware  firewalls. 
And  to  me,  I  cannot  see  a  valid  need  for 
doing  that  when  the  wireless  network 
itself  is  proprietary.  So  I  think  there  are 
opportunities  where  the  standard  can 
be  taken  a  little  bit  too  far.” 

Despite  the  difficulties,  Keller  seems 
satisfied  with  the  standard  and  the 
process.  “PCI  gave  us  a  great  security 
checklist  and  a  great  place  to  start. 


More  about  PCI  Standards 


For  tips  from  security  experts,  read  A 

GUIDE  TO  PRACTICAL  PCI  COMPLIANCE 
at  www.cio.com/article/153751. 

cio.com 


And  by  going  through  the  12  different 
requirements,  it  allowed  us  to  ensure 
that  we  have  adequate  protection 
around  the  data  that  we  have.” 

NEVER-ENDING  DEADLINES 

You’ll  never  be  finished  with  compli¬ 
ance.  Even  after  your  company  meets 
the  current  standards  and  sets  up  the 
quarterly  cycle  of  scans  and  reports, 
you  can  expect  new  requirements  to 
address  new  threats.  And  with  them, 
new  deadlines. 

Russo  explains  that  the  PCI  council 
will  “make  changes  in  the  standard  on 
the  fly”  as  a  way  of  responding  flexibly 
to  new  threats.  How  long  merchants 
will  have  to  respond  depends  on  the 
type  of  change.  A  simple  patch  might  be 
required  immediately.  Major  changes, 
such  as  the  new  Web  and  enterprise 
application  code  audit  requirement 
due  June  30,  will  get  companies  a  year 
to  18  months’  grace  period.  “The  object 
of  releasing  a  new  standard  is  not  to 
put  anyone  out  of  compliance  when 
we  release  it,”  assures  Russo. 

While  penalties  are  the  stick  of  PCI, 
brand  confidence  may  be  the  carrot.  In 
the  event  of  a  security  breach,  you  have 
your  customers  and  your  brand  suffer¬ 
ing  a  tremendous  amount  of  damage. 
Or  so  runs  conventional  wisdom. 

But  customer  confidence  proves  to 
be  notoriously  fickle.  Take  TJX.  Follow¬ 
ing  its  data  breach  disclosure,  the  com¬ 
pany  reported  two  consecutive,  highly 


successful  quarters.  To  some  observers, 
the  fact  that  TJX  has  not  suffered  seri¬ 
ous  consequences  makes  the  carrot  of 
customer  confidence  a  harder  sell.  Says 
Keller:  “Think  of  the  PR,  especially  for 
an  organization  like  ours.  What  if  we 
have  this  huge  data  breach?  Yet  here’s 
T.J.  Maxx,  a  well-known  brand.  They 
have  this  huge  breach  and  yet  they  have 
one  of  their  best  quarters  ever.” 

Shniderman  cautions  IT  leaders  to 
be  careful  of  how  they  interpret  TJX’s 
good  fortune.  “You  can  read  a  couple  of 
things  into  that,”  he  says.  “Some  con¬ 
sumers  are  willing  to  increase  their 
vulnerability  to  get  a  good  discount,” 
he  says. 

TJX  might  have  changed  its  pricing  or 
promotions  during  the  period  after  the 
breach,  or  it  may  simply  have  addressed 
the  crisis  effectively,  continues  Shnider¬ 
man.  “If  you  have  a  fraud-compromising 
event,  it’s  a  moment  of  truth.  The  trust 
level  goes  down  significantly  if  you  don’t 
address  it  well.” 

Whether  or  not  customer  confidence 
can  be  managed  after  a  breach,  it’s  a  safe 
bet  that  no  company  wants  to  suffer  one. 
And  while  PCI  DSS  1.1  will  not  plug  all 
potential  security  leaks,  it’s  now  a  nec¬ 
essary  cost  of  doing  business.  BE 


Michael  Jackman  writes  frequently  about 
computer  security.  He  can  be  reached  at 
mjackman@mifreelancer.com.  To  comment 
on  this  story,  go  to  the  online  version  at 
www.cio.  com/article/162900. 


'Oracle  received  the  highest  scores  across  all  the  scenarios  we  evaluated' 

Independent  Report:  The  Forrester  Wave  Application  Server  Platforms,  Q3  2007’ 


Best  in  15  of  20  Categories 

SOA  World  Magazine  2007  Reader's  Choice  Awards2 


Oracle  Fusion  Middleware  from 


Dpyright  ©  2007,  Oracle.  All  rights  reserved.  Oracle  is  a  registered  trademark  of  Oracle  Corporation  and/or  its  affiliates.  Other  names  may  be  trademarks  of  their  respective  owners. 


oracle.com/middleware 
or  call  1.800.0RACLE.1 


One 

Company, 
One  Vision, 

One TRUTH 

BY  THOMAS  W  A  I  L  G  U  M 


mfM 


nits 


As  Nationwide  Insurance  grew,  its  data  became 
siloed  and  scattered,  making  it  increasingly  difficult 
for  the  company  to  get  an  accurate  picture  of  its 
fi nances.  Here’s  how  it  brought  al  I  that  data  i nto  focus. 


Reader  ROI 

::  The  benefits  of  master  data  management 
”  Rules  for  implementing  an  MDM  solution 
::  The  tools  Nationwide  used 


JANUARY  15,  2008  |  www.cio.com 


PHOTOGRAPHY  BY  STEPHEN  WEBSTER 


Master  Data  Management 


COVER  STORY 


When  Michael  Keller 

became  CIO,  he  wanted  to 
know  how  much  Nationwide 
was  spending  on  IT.  “The 
answer  was,  we  didn’t  know.” 


In  a  span  of  three  short  years, 

between  2000  and  2002,  Nationwide  Insurance 
got  a  new  CEO,  CIO  and  CFO. 

I  Jerry  Jurgensen,  elected  by  Nationwide’s 
board  in  2000  to  replace  the  retiring 

I  CEO,  was  hired  for  his  finan¬ 
cial  acumen  and  his  ability 
to  transform  a  business’s 
|  culture. 

Michael  Keller  was  named 
the  company’s  first  enter¬ 
prisewide  CIO  the  follow¬ 
ing  year.  He  had  25  years 
of  IT  experience  managing 
big  infrastructure  and  sys¬ 
tems  integration  projects. 

In  2002,  Robert  Rosholt 

(replaced  the  retiring 
CFO  and  joined  the 
others  in  Nationwide’s 
Columbus,  Ohio,  head- 

I 

quarters,  bringing  along 
deep  experience  in  all 
things  financial. 

The  three  were 
old  buddies  who  had 
worked  together  at 
financial  giant  Bank 
One.  Now  they  held  the 

reins  at  Nationwide  and 

f 

their  goal  was  to  take 
its  dozens  of  business 
units,  selling  a  diverse  set 
of  insurance  and  financial 
products,  to  a  higher  level. 

In  2001,  Nationwide  was 
profitable  to  the  tune  of  $138 
million  and  board  members 
had  billion-dollar  aspirations 
for  that  line  item. 

1 


But  to  get  there,  Jurgensen  needed  financial  snap¬ 
shots  of  how  Nationwide  was  doing  at  any  given 
moment.  And  getting  them  wasn’t  so  easy. 

In  fact,  it  was  almost  impossible. 

The  Fog  of  Finance 

“When  you’re  dealing  with  14 
general  ledger  platforms  and 
over  50  applications,”  Rosholt 
says,  “it  was  enormous  work  to 
get  the  financials  out.” 

The  problem  lay  knotted 
in  a  tangle  of  systems  and 
applications,  and  some  240 
sources  of  financial  data  flow¬ 
ing  in  and  around  Nation¬ 
wide’s  business  units. 
The  units  had  always 
run  independently,  and 
that’s  how  financial  report¬ 
ing  was  handled.  “There 
was  a  variety  of  [financial 
reporting]  languages,” 
Rosholt  says,  which 
affected  Nationwide’s 
ability  to  forecast, 
budget  and  report. 
“It  was  difficult,”  says 
Rosholt,  to  ask,  “How 
are  we  doing?” 

Keller’s  situation 
was  no  better. 

“One  of  the  first 
questions  I  was  asked 
when  I  joined  was, 
How  much  money 
do  we  spend,  total,  on 
IT?”  Keller  recalls.  “The 
answer  was,  we  didn’t 
know.  It  took  weeks 


www.cio.com  |  JANUARY  15,  2008  31 


COVER  STORY 


Master  Data  Management 


Inside  Nationwide 

Nationwide  Insurance,  a  diversified  insurance 
and  financial  services  company 

Headquarters:  Columbus,  Ohio 

Revenue:  $160  billion  in  assets;  $21  billion  in  annual  revenues 
CEO:  Jerry  Jurgensen 
CFO:  Robert  Rosholt 
CIO:  Michael  Keller 

Employees:  36,000 
IT  Employees:  5,500 

Focus  Project  Fast  Facts:  280  team  members  worked 
1.2  million  man  hours  (including  overtime)  over  24  months 


to  put  that  answer  together.” 

Jurgensen  wanted  to  be  able  to  run 
Nationwide  as  if  it  were  one  unified  enter¬ 
prise.  He  wanted,  in  Rosholt’s  words,  “to 
do  things  that  are  common,  and  respect 
the  things  that  are  different.  And  that  was 
a  big  change.” 

Indeed,  the  transformation  the  com¬ 
pany  embarked  upon  in  early  2004  was 
daunting— a  master  data  management 
makeover  that  would  alter  how  every 
Nationwide  business  reported  its  finan¬ 
cials,  how  accounting  personnel  did 
their  jobs,  how  data  was  governed  and  by 
whom,  and  how  the  company’s  informa¬ 
tion  systems  would  pull  all  that  together. 

The  goal  was  simple:  one  platform,  one 
version  of  the  financial  truth. 

Simple  goal.  But  a  difficult  challenge. 

What  Is  Master  Data 
Management? 

Master  data  management  projects  come 
in  all  shapes  and  sizes.  Most  often,  MDM 
addresses  customer  data  management 
requirements,  hence  the  term  customer 
data  integration,  or  CDI,  which  is  often 
used  interchangeably  with  MDM,  though 
many  contend  the  concepts  differ.  But 
MDM,  as  it’s  now  used,  boils  down  to  a 
set  of  processes  and  technologies  that 
help  enterprises  better  manage  their  data 
flow,  its  integrity  and  synchronization.  At 
the  core  is  a  governance  mechanism  by 
which  data  policies  and  definitions  can  be 
enforced  on  an  enterprise  scale. 

The  result  is  much  more  than  just  clean 
data.  MDM  offers  companies  a  tantaliz¬ 
ing  vision:  a  “single  version  of  the  truth” 
gathered  from  vast  databases  of  internal 
assets,  says  James  Kobielus,  principal 
analyst  of  data  management  at  market 
researcher  Current  Analysis.  Heard  it  all 
before?  “MDM  is  a  relatively  new  term  for 
a  timeless  concern,”  Kobielus  concedes. 
That  hasn’t  tempered  vendor  enthusiasm. 
Vendors  of  all  stripes— BI,  data  warehous¬ 
ing,  data  management,  performance  man¬ 
agement,  CRM,  ERP— are  rolling  out  their 
disparate  products  under  the  MDM  ban¬ 
ner.  Forrester  Research  reports  that  MDM 
license  and  service  revenue  from  software 
vendors  and  systems  integrators  will 


grow  from  $1.1  billion  in  2006  to  more 
than  $6.6  billion  in  2010. 

Even  with  all  the  vendor  buzz,  research 
conducted  last  year  shows  that  CIOs  are 
struggling  with  data  management:  75  per¬ 
cent  of  162  CIOs  surveyed  by  Accenture 
said  they  want  to  develop  an  overall  infor¬ 
mation  management  strategy  in  the  next 
three  years  in  order  to  “leverage  that  data 
for  strategic  advantage.”  But  a  Forrester 
Consulting  survey  of  407  senior  IT  deci¬ 
sion  makers  at  companies  with  more  than 
$250  million  in  annual  revenues  found 
that  manual  efforts  remain  the  dominant 
approach  for  integrating  data  silos. 

That’s  because  an  MDM  transforma¬ 
tion  is  as  much  about  mastering  change 
management  as  it  is  about  data  manage¬ 
ment.  As  Kobielus  says,  “In  the  hyper- 
siloed  real  world  of  enterprise  networking, 
master  data  is  scattered  all  over  creation 
and  subjected  to  a  fragmented,  inconsis¬ 
tent,  rickety  set  of  manual  and  automated 
processes.”  Good  master  data  governance 
can  happen  only  when  the  various  con¬ 
stituencies  that  own  the  data  sources  agree 
on  a  common  set  of  definitions,  rules  and 
synchronized  procedures,  which  requires 
a  degree  of  political  maneuvering  that’s 
not  for  the  faint  of  heart. 

Nationwide  began  its  finance  transfor¬ 
mation  program,  which  included  its  MDM 
initiative,  called  Focus,  with  its  eyes  wide 


open.  The  executive  troika  of  Jurgensen, 
Rosholt  and  Keller  had  pulled  off  a  similar 
project  at  Bank  One  and  thought  it  knew 
how  to  avoid  the  big  mistakes.  That,  in 
part,  is  why  Rosholt,  who  had  ultimate 
say  on  the  project,  would  not  budge  on  its 
24-month  time  line.  “The  most  important 
aspect  was  sticking  to  discipline  and  not 
wavering,”  he  recalls.  And  that’s  why  the 
technology  piece  was,  from  the  outset,  the 
last  question  to  be  addressed. 

“It  wasn’t  a  technology  project,”  insists 
Lynda  Butler,  whose  VP  of  performance 
management  position  was  created  to 
oversee  Focus  (which  stands  for  Faster, 
Online,  Customer-driven,  User-friendly, 
Streamlined).  She  says  that  Nationwide 
approached  MDM  first  and  foremost  as  a 
business  and  financial  project. 

Nationwide  considers  the  project,  which 
made  its  deadline,  a  success,  although 
everyone  interviewed  for  this  article 
stresses  that  there’s  more  work  to  be  done. 
Says  Keller:  “There’s  a  foundation  to  build 
on  where  there  wasn’t  one  before.” 

Getting  Started  on  MDM 

“Fourteen  general  ledgers,  12  report¬ 
ing  tools,  17  financial  data  repositories 
and  300,000  spreadsheets  were  used 
in  finance,”  says  Butler.  “That’s  not  real 
conducive  to  ‘one  version  of  the  truth.’” 

Early  in  his  tenure  as  CEO,  Jurgensen’s 


32  JANUARY  15,  2008  |  www.cio.com 


T  H  OUGHT  LEADERSHIP  SERIES 


CIO  Publisher 
Emeritus 
Gary  Beach  recently 
discussed  innovation 
and  disruptive 
technologies  with 
four  IT  executives : 

Peter  Whatnell 
Chief  Information  Officer, 
Sunoco  Corporation 

Rebecca  Rhoads 
Vice  President  and 
Chief  Information  Officer, 
Raytheon 

Robert  Israel 
Vice  President  and 
Chief  Information  Officer, 
John  C.  Lincoln 
Health  Network 

Jan-Maarten  Van  Dongen 
Chief  Technology  Ojfcer 
HP  Software 


invent 


ADVERTISING  SUPPLEMENT 


^  Fr.meu.oH k*  TRANSFORMATION 


Following  is  an  excerpt  from  their  discussion. 
The  full  webcast  is  available  at  www.cio.com/ 
webcasts/sponsored/hp-itil 

Gary  Beach: 

I  recently  met  with  the  CEO  of  one  of  the 
world’s  largest  companies.  I  asked  him  what 
he  thought  of  technology.  He  paused,  leaned 
forward,  and  said  to  me  “...I  don’t  think 
about  technology  at  all.  What  I  do  think 
about  is  what  technology  can  do  for  my  firm 
in  terms  of  the  business  context.” 

But  CIOs  and  IT  execs  do  think  about 
technology.  Research  from  the  CIO 
Executive  Council  strongly  suggests  they 
are  well  on  their  journey  from  focused  on 
being  operational  experts  to  being  business 
transformation  experts.  One  of  the  tools 
that  they’ve  been  using  for  several  years  now 
to  help  them  in  that  journey  is  the  Infor¬ 
mation  Technology  Infrastructure  Library, 
often  known  as  ITIL.  ITIL  recently  came 
out  with  version  3,  which  put  a  clear  focus 
not  so  much  on  the  infrastructure  and  the 
processes  of  information  technology,  but  on 
information  technology  as  a  business  service. 

Joining  me  today  to  discuss  information 
technology  as  a  business  service  are  Rebecca 
Rhoads.  Rebecca  is  the  Vice  President  and 
Chief  Information  Officer  for  the  Raytheon 
Corporation.  We  also  have  Rob  Israel.  Rob 
is  the  Vice  President  and  Chief  Informa¬ 
tion  Officer  for  the  John  C.  Lincoln  Health 
Network.  Joining  us,  too,  is  Peter  Whatnell. 
Peter  is  the  Chief  Information  Officer  for 


Sunoco  Corporation.  And  we  have  Jan- 
Maarten  Van  Dongen,  who’s  the  CTO 
for  HP  Software. 

I’d  like  to  ask  first,  in  terms  of  that  introduc¬ 
tion  on  the  CEO,  what’s  your  take  on  where 
are  CIOs  and  senior  IT  executives  at  that 
crossroads? 

Peter  Whatnell:  I  think  if  you  imagine  this 
is  new  news,  you’re  probably  too  late  to 
make  the  change.  People  I  know  started 
down  this  path  probably  five  or  seven  years 
ago,  if  not  sooner. 

Rebecca  Rhoads:  I  think  that  for  quite 
some  time  we’ve  reinvented  ourselves  as 
transformation  experts  and  looked  at 
business  transformation,  and  in  many 
cases,  drive  business  transformation  inter¬ 
nally  within  our  companies.  But  in  addition 
to  that,  I  see  a  very  significant  role  as  a 
business  strategist.  And  so,  in  that  sense, 

I  resonate  with  the  CEO  that  you  were 
talking  to. 

Beach:  But  you’ve  got  to  keep  the  trains 
running  as  you’re  being  business  strategists. 
How  do  you  do  it? 

Rob  Israel:  I  think  the  CIO  is  being  drawn 
more  and  more  into  higher-level  executive 
discussions.  They’re  being  invited  to  the 
boardroom  tables.  They’re  being  brought 
in  for  preplanning  and  seeing  how  IT 
actually  fits  in  because  we  are  touching 
every  single  piece  of  the  organization. 


THOUGHT  LEADERSHIP  SERIES  1 


THOUGHT  LEADERSH 


SERIES 


ADVERTISING  SUPPLEMENT 


“A  couple  of  years  ago 
a  consultant friend 
of  mine  sat  down 
and  talked  to  me  and 
said  you  cant  do  this 
process  because  ids  not 
in  the  book.  And  I 
said  the  book's  wrong 
in  this  distance.  ” 
—  Rob  Israel 


Beach:  Rebecca,  I’d  like  to  get  a  sense  of 
where  you’re  at  in  terms  of  ITIL  because 
ITIL  version  3  just  came  out  recently. 


RhoadS:  Well,  we,  and  I  think  all  of  our 
companies  share  this,  in  that  we  naturally 
evolved  and  matured  our  processes  and  our 
services  management  over  several  years. 
What  the  value  of  the  ITIL  framework  is 
provided  to  us  is  just  that.  It’s  a  great  frame¬ 
work.  Its  a  framework  of  best  practices  and 
the  framework  reflects  where  were  at  today 
with  our  maturity  level  in  terms  of  manag¬ 
ing  services  and  processes. 


Israel:  I  really  like  the  word  framework.  We 
use  ITIL  as  a  framework  for  our  business 
strategies.  A  couple  of  years  ago  a  consultant 
friend  of  mine  sat  down  and  talked  to  me 
and  said  you  can’t  do  this  process  because 
it’s  not  in  the  book.  And  I  said  the  book’s 
wrong  in  this  instance. 


The  four  CIOs  who  shared  their  views  are  (left  to  right): 
Rebecca  Rhoads,  Robert  Israel,  Peter  Whatneil  and 
Jan-Maarten  Van  Dongen 


Whatneil:  We  don’t  use 
ITIL  in  terms  of  looking 
for  a  way  of  following 
the  processes  as  they’re 
laid  down  to  become 
certified  to  certain 
versions.  But  we  are 
very  process  driven.  We 
started  about  five  years 


ago.  Because  we’re  a  refining  company, 
it’s  a  process  manufacturing  company.  So, 
we  took  the  process  methodology  and  the 
process  management  methodology  that  a 
manufacturing  organization  was  using  and 
we’ve  adopted  that  in  the  IT  organization. 


Besch:  Jan-Maarten,  where  are  you  at  HP? 


CIO 


Jan-Maarten  Van  Dongen:  In  the  software 
portfolio  all  the  solutions  we’ve  been  deliv¬ 
ering  we’ve  always  followed,  especially  the 
version  2  around  the  people  process  tech¬ 


nology,  organization  fully  certified  trained. 
And  then  the  process  side  our  consulting 
organization  actually  adopted  what  we  call 
the  ITSM  reference  model,  which  actually 
takes  the  process  of  how  ITIL  says  this  is 
like  best  practices,  but  it  doesn’t  tell  you 
how  to  implement  or  how  to  guide  them 
and  the  model  actually  helps  you  then  actu¬ 
ally  say  where  do  you  start  and  how  do  you 
go  from  there. 


B63Ch:  Let’s  talk  more  about  business-IT 
alignment  because  the  service  aspect  is  like 
the  result  of  business  IT  alignment. 


Israel:  A  lot  of  GIOs  will  go  in  and  they  will 
speak  techno  babble.  They  will  speak  bits, 
bytes,  bandwidth,  and  you’ll  quickly  loose 
your  audience.  One  of  the  things  one  of  my 
mentors  has  always  taught  me  and  reiter¬ 
ated  to  me  is  speak  to  your  audience.  The 
CEO  and  CFO  don’t  care  about  network¬ 
ing  bandwidth.  They  don’t  care  about  the 
techno  speak.  They  want  to  know  how  it’s 
going  to  impact  their  bottom  line  or  how 
it’s  going  to  impact  the  mission  of  the  orga¬ 
nization.  So,  I  think  that’s  a  great  point  you 
bring  up.  Don’t  go  in  as  a  CIO.  Go  in  as  a 
business  partner. 


Beach:  And  ask  the  question  how  are  we 
making  money? 


Van  Dongen:  If  you  look  to  all  the  business 
processes  in  the  company  right  now,  they 
can’t  do  without  IT.  It’s  not  a  support  func¬ 
tion  anymore,  but  a  real  component  of  the 
overall  doing  business  in  your  company  and 
your  core  activities.  And  besides,  I  think  IT 
can  be  a  huge  innovation  part  on  that  either 
top/down;  we  actually  say  I’d  like  to  modify 
or  innovate  my  business  processes,  how  can 
IT  help,  or  vice  versa.  I  see  these  new  dis¬ 
ruptive  technologies;  what  can  I  do  to  them 
to  make  competitive  advantage? 


Custom  Solutions  Group 

|® 


Want  to  hear  more ?  The  conversation  continues  at  www.  cio.  com/ webcasts/ sponsored/ hp-itil 


m 


n  v  e  n  t 


THOUGHT  LEADERSHIP  SERIES  2 


and  see  both  the  needs  of  the  businesses 
versus  the  needs  of  the  enterprise,”  she 
says.  “I  could  play  devil’s  advocate  with 
myself.” 

CFO  Rosholt  went  back  to  his  Bank 
One  roots  and  recruited  Vikas  Gopal,  who 
had  proven  his  mettle  on  similar  projects, 
to  lead  the  IT  team.  Altogether,  Butler  and 
Gopal  would  have  280  project  manage¬ 
ment,  finance  and  IT  folks  working  on  the 
transformation. 


Vast  Project, 

Defined  Rules 

Rosholt  was  the  business  sponsor  (with 
Jurgensen  providing  high-level  support), 
and  he  laid  down  several  rules  at  the  start. 
The  first  was  that  he  was  not  going  to 
budge  on  the  24-month  schedule.  “When 
you  take  longer,  you  don’t  get  that  much 
more  done;  you  just  burn  people  out, 
spend  more  money,  and  it’s  more  frus¬ 
trating,”  Rosholt  says.  “So  you  set  stretch 
goals  and  go  after  it.” 

With  no  wiggle  room  on  the  time  line, 
the  team,  with  Rosholt’s  encouragement, 
followed  the  “80/20”  rule.  It  knew  that 
it  wasn’t  going  to  get  100  percent  of  the 
desired  functionality  of  the  new  MDM 
system,  so  the  team  decided  that  if  it 
could  get  roughly  80  percent  of  the 
project  up  and  running  in  24  months, 
it  could  fix  the  remaining  20  percent 
later.  “If  we  went  after  perfection,” 
says  Rosholt,  “we’d  still  be  at  it.” 

Keeping  in  mind  that  no  one 
would  get  everything  he  wanted,  the 
Focus  team  interviewed  key  stake¬ 
holders  in  Nationwide’s  business 
units  to  understand  where  their 
pain  points  were.  “We  went  back 
to  basics,”  says  Gopal.  “We  said, 
‘Let’s  talk  about  your  financial 
systems,  how  they  help  your 
decision  making.’”  The  team 
then  determined  where  senior 
management  wanted  to  focus 
and  presented  it  with  a 
choice  of  10  different  finan¬ 
cial  competencies.  “Do 
we  want  to  be  the  best 
company  that  does 
transaction  record- 


concerns  about  the  company’s  finan¬ 
cials  weren’t  limited  to  the  timeliness 
of  the  data;  he  was  also  worried  about 
its  integrity  and  accuracy.  He  and  other 
execs  knew  that  faster  access  to  more 
comprehensive  data  sets  would  allow  for 
better  trend  analysis  and  forecasting  deci¬ 
sions,  and  would  strengthen  budgeting, 
reporting  and  accounting  processes.  For 
example,  because  Nationwide  had  such 
a  variety  of  businesses,  the  company 
carried  a  lot  of  risk— some  easily  visible, 
some  not.  “So,  if  equity  markets  went 
down,  we  were  exposed,”  notes  Butler. 
“But  we  didn’t  realize  that  until  the  mar¬ 
kets  actually  went  down.  We  needed  some 
enterprise  view  of  the  world.” 

One  of  Nationwide’s  subsidiaries, 
Nationwide  Financial  Services,  is  a  public 
company  and  has  the  requisite  regulatory 
and  compliance  responsibilities  (such  as 
Sarbanes-Oxley),  but  the  rest  of  Nation¬ 
wide  Insurance  is  a  mutual  company 
owned  by  its  policyholders,  and 
doesn’t  have  those  requirements. 

Rosholt  says  the  entire  com¬ 
pany  will  move  to  Sarbox-like 
requirements  by  2010,  and 
the  Focus  project  provided  a 
kick-start  to  unifying  the  rest 
of  the  company’s  financials 
to  accommodate  more  strin¬ 
gent  accounting  practices. 

Executives  also  knew  that 
common  data  definitions 
among  all  the  business  units 
would  provide  comparable 
financial  data  for  analysis 
(which  was  difficult,  if  not 
impossible,  without  those 
definitions).  “We  needed 
consistent  data  across  the 
organization,”  Rosholt  says. 

“We  were  looking  for  one  book 
of record.” 

The  Focus  project  team  began 
envisioning  the  scope  and  plan  in 
January  2004.  Rosholt  handed  off 
day-to-day  responsibilities  on  the 
finance  side  to  Butler,  his  “change 
champion,”  who  had  worked  in 
corporate  headquarters  and  in  a  busi¬ 
ness  unit.  “I  had  the  dual  perspective 


“When  you’re  dealing  with  14  general 
ledger  platforms  and  over  50 
applications,”  says  Nationwide  CFO 
Robert  Rosholt,  “it  was  enormous 
work  to  get  the  financials  out.” 


COVER  STORY 


Master  Data  Management 


Nationwide’s 

MDM  Toolbox 

Nationwide  Insurance’s  master  data 
management  project  required  the  integration 
of  its  back-office  systems  and  front-end  user 
interfaces.  Here’s  a  look  at  the  key  players: 

BACKEND 

EMC  storage  technologies 

Informatica  data  management  and  integration  platforms 
Kalido  workflow  software  and  MDM  repository  technologies 
Oracle  databases 

Teradata  enterprise  data  warehouse 

FRONT  END 

Hyperion  planning  and  reporting  tools 
IBM  WebSphere  integration  software 
Microsoft  financial  applications 

PeopleSoft  ERP  general  ledger,  performance  management 
and  reporting  applications 


ing?  Or  enterprise  risk?  Or  analytics?” 
Gopal  says. 

In  other  words,  people  were  introduced 
to  the  concept  of  making  trade-offs,  which 
allowed  the  Focus  team  to  target  the  sys¬ 
tem’s  core  functionalities  and  keep  control 
over  the  project’s  scope. 

You  Say  Tomato; 

I  Say  Tomahto 

After  interviewing  the  key  stakeholders 
and  identifying  the  core  functionalities— 
business  planning,  capital  optimization, 
risk  management,  analysis,  interpreta¬ 
tion,  records,  reporting,  organizational 
management,  stakeholder  management 
and  accounting  policy  management— the 
next  thing  the  team  did  was  create  a  data 
governance  system.  The  system  instituted 
repeatable  processes  and  specific  rules  for 
compiling,  analyzing  and  reporting  the 
financial  data  on  both  a  business-unit 
level  and  an  enterprise  level.  The  process 
would  take  place  on  a  daily  basis  and 
would  touch  all  of  the  back-end  systems 
(for  example,  the  PeopleSoft  ERP  system) 
and  the  front-end  (Hyperion  and  Micro¬ 
soft  financial  applications). 

“Pre-Focus,  there  was  no  data  gover¬ 
nance,”  Butler  says.  “We  had  to  put  in  some 
policies,  rules  and  procedures  [for  manag¬ 
ing  the  data]  at  the  top  of  the  house,  which 
at  times  has  had  a  contentious  relationship 
with  the  business  units.”  In  other  words, 
business  units  had  run  independently  for 
so  long,  with  their  own  definitions  and  their 
own  bookkeeping  methods,  they  couldn’t 
see  the  value  in  common  data  sets. 

Nationwide  formed  a  data  governance 
group  whose  members,  from  finance  and 
IT,  would  be  the  “keepers  of  the  book  of 
record,”  the  rules  of  the  MDM  system, 
Gopal  notes.  The  group’s  charge  was  to 
figure  out  how  each  business  unit’s  finan¬ 
cial  data  definitions  would  transform  into 
data  sets  that  could  be  standardized  and 
imported  into  the  MDM  financial  system. 
But  first,  because  there  were  hundreds  of 
sources  and  classifications  of  data,  it  was 
critical  that  the  various  business-unit 
stakeholders  on  the  data  governance  team 
agree  on  definitions.  If  there  are  two  dif¬ 
ferent  ways  to  classify  one  data  set— for 


example,  if  one  unit  calls  a  Nationwide 
product  “Standard  Auto”  and  another 
calls  the  same  product  “Std  Auto,”  or 
similar  differences  in  defining  “purchase 
order,”  “invoice”  or  “customer”— then  the 
system  is  worthless.  “You  simply  cannot 
have  both,”  Gopal  says. 

Another,  more  complex  example  is  how 
business  units  defined  geographic  infor¬ 
mation.  Gopal  says  that  different  applica¬ 
tions  had  geography  rolled  up  differently 
(for  example,  Eastern/Western  or  North¬ 
east/Midwest).  But  in  various  applications, 
Illinois  could  have  been  in  the  Western 
region  and  in  others  it  could  have  been  in 
the  Midwestern  region.  ‘Aggregating  data 
from  various  sources,  taking  in  the  ‘rolled 
up’  level,  made  [achieving]  an  enterprise 
[view]  very  difficult,”  Gopal  says. 

Even  with  a  mature  data  governance 
program,  he  notes,  the  classification  and 
reclassification  process  is  “never  ending” 
because  there  are  always  “people  com¬ 
ing  back  with  creative  ideas  on  how  you 
can  improve  the  workflow  [of  the  MDM 


system]  to  work  better  with  the  appli¬ 
cations.” 

Tool  Time 

It  was  only  after  the  requirements,  defini¬ 
tions  and  parameters  were  mapped  out 
that  Gopal’s  group  began  looking  at  tech¬ 
nologies.  Gopal  had  two  rules  to  guide 
them:  First,  all  finance-related  systems 
had  to  be  subscribers  to  the  central  book 
of  record.  Second,  none  of  the  master  data 
in  any  of  the  financial  applications  could 
ever  be  out  of  sync. 

So  the  Focus  team’s  final  step  was  to 
evaluate  technologies  that  would  follow 
and  enforce  those  rules. 

The  team  reasoned  that  it  had  neither 
the  time  nor  the  inclination  to  invent  MDM 
technology  at  Nationwide.  “We  wanted  to 
start  off  on  the  right  footing  from  a  TCO 
perspective;  with  only  24  months  you 
don’t  have  a  ton  of  time  to  build  a  lot  of 
stuff,”  Gopal  says.  His  team  sought  out 
best-of-breed  MDM  toolsets  from  vendors 
such  as  Kalido  and  Teradata  that  would 


34  JANUARY  15,  2008  |  www.cio.com 


Another  giant  leap. 

At  ISG,  we  have  taken  our  first  step  in  building  the  world’s  foremost  information-based  services  company  with  the 
acquisition  of  TPI.  TPI  is  the  acknowledged  leader  in  helping  major  corporations  optimize  their  business  operations 
through  the  best  combination  of  outsourcing,  offshoring,  shared  services  and  internal  service  optimization.  And  with 
the  impressive  management  team  from  ISG,  we  are  well  on  our  way  to  building  a  billion-dollar  company  in  three  years. 
What  can  investors  look  forward  to?  A  giant  leap  in  creating  significant  shareholder  value.  For  more  information 
about  ISG  visit  www.informationsg.com. 

Information  Services  Group,  Inc.  is  traded  under  the  ticker  symbol  III. 


ISG 

INFORMATION 

SERVICES 

GROUP 


Australia,  France,  Germany,  India,  Japan,  The  Netherlands,  New  Zealand,  Singapore,  Sweden,  United  Kingdom  and  United  States 


©ISC  2008 


COVER  STORY 


Master  Data  Management 


“You  have  to  sell  the  vision,  and  the  benefits.  In  some  businesses,  it 
wasn’t  a  ‘win-win.’  In  the  smaller,  more  compact  businesses,  they’d 
say,  ‘I’ve  got  a  very  simple  system  and  we’ve  been  working  on  this 
for  15  years.  Why  are  you  disrupting  my  life?’  And  you  really  couldn’t 
make  a  strong  argument  that  the  way  they  live  today  is  going  to  be 
dramatically  better  because  a  lot  of  it  was  about  the  enterprise.” 


be  able  to  tie  into  their  existing  systems. 
(See  “Nationwide’s  MDM  Toolbox,”  Page 
34,  for  a  brief  description  of  the  technolo¬ 
gies  that  make  Focus  work.)  Gopal  wasn’t 
overly  “worried  about  [technology]  exe¬ 
cution”  because  he  had  assembled  this 
type  of  system  before  and  knew  that  the 
technology  solutions  on  the  market,  even 
in  the  most  vanilla  forms,  were  robust 
enough  for  Nationwide’s  needs. 

What  did  worry  him  was  Nationwide’s 
legion  of  financial  employees  who  didn’t 
relish  the  idea  of  changing  the  way  they 
went  about  their  work. 

The  Culture  Wars 

Though  Jurgensen,  Rosholt  and  Keller 
weren’t  involved  in  the  day-to-day  minu¬ 
tiae  that  accompanies  a  massive  project 
such  as  Focus,  it  was  never  far  from  their 
minds.  The  Focus  team  needed  their 
support  at  almost  every  turn.  A  trans¬ 
formation  unlike  anything  the  36,000 
Nationwide  Insurance  employees  had 
ever  seen  was  at  hand.  Rosholt  knew  he 
had  to  make  one  of  the  most  important 
sales  of  his  career.  “You  have  to  sell  the 
vision,  and  the  benefits,”  he  says.  The 
most  difficult  part  was  getting  everyone 
to  take  their  medicine  because  it  was  good 
for  the  enterprise.  “In  some  businesses,  it 
wasn’t  a  ‘win-win,’”  Rosholt  says.  “In  the 
smaller,  more  compact  businesses,  they’d 
say,  ‘I’ve  got  a  very  simple  system  and 
we’ve  been  working  on  this  for  15  years. 
Why  are  you  disrupting  my  life?”’  And 
to  a  degree,  Rosholt  felt  their  pain.  “You 
really  couldn’t  make  a  strong  argument 
that  the  way  they  live  today  is  going  to  be 
dramatically  better,  because  a  lot  of  it  was 
about  the  enterprise,”  he  says. 

At  the  beginning  of  the  program. 
Nationwide  formed  a  “One  Finance  Fam- 


-ROBERT 

ily”  program  that  tried  to  unify  all  the 
finance  folks  around  Focus.  Executives 
were  also  able  to  identify  those  employees 
who  were  most  affected  through  weekly 
“change  meetings”  and  provide  support. 
In  addition,  executives  placed  dedicated 
communications  personnel  who  were 
responsible  for  communicating  and  man¬ 
aging  change  through  the  meetings  and 
media  channels. 

The  Focus  team  had  to  remain  resolute. 
The  overarching  theme,  that  there  would 
be  no  compromise  in  data  quality  and 
integrity,  was  repeated  early  and  often, 
and  execs  made  sure  that  the  gravity  of 
the  change  was  communicated  before 
anyone  saw  any  new  software. 

Finally,  in  March  2005,  with  three 
waves  of  planned  deployments  ahead  of 
it,  the  team  started  rolling  out  the  new 
Focus  system. 

One  of  the  first  businesses  to  make  the 
transition  was  one  of  CIO  Keller’s  divi¬ 
sions,  Nationwide  Shared  Services,  which 
handles  document  services  and  sourcing, 
among  other  functions.  (His  IT  division 
also  was  an  early  adopter.) 

“We  were  a  guinea  pig,”  he  recalls.  “We 
had  pretty  good  [financial]  systems  and 


More  on  MDM 


Master  Data  Management:  Truth  Behind 
the  Hype.  Master  data  management  is 
sneaking  up  on  SOA  as  the  most  overused 
IT  buzzword.  CIOs  call  the  transformation 
a  brutal  combination  of  bridging  techno¬ 
logical  silos  and  managing  turf  battles, 
www.cio. com/article/110558 

Demystifying  Master  Data  Management 

Organizations  must  understand  that 
improving  their  data— and  building  the 
foundation  for  MDM— requires  them  to 
address  internal  disagreements  and  bro¬ 
ken  processes. 

www.cio.  com/article/106811 

cio.com 


ROSHOLT,  CFO,  NATIONWIDE 

were  able  to  do  what  we  needed  to  do,  pre- 
Focus.  We  wanted  parity  to  do  what  we 
did  before.  It’s  a  harder  sell  to  people  who 
weren’t  getting  the  business  benefits.”  But 
it  was  clear  that  Focus  was  the  better— 
and  only— way. 

Wednesday  Night  Pizza 

Transformational  IT  projects,  with  spir¬ 
ited  kickoff  parties,  awkward  executive 
speeches  and  quirky  gifts  for  the  project 
team  (T-shirts  saying  “I  Survived  Focus”) 
are  infamous  for  a  precipitous  drop  in 
enthusiasm  shortly  after  launch.  Both 
Rosholt  and  Keller  have  seen  their  fair 
share  of  good  and  bad  projects.  “We’ve 
seen  it  all,”  Rosholt  says. 

Keller’s  experience  not  only  taught  him 
about  the  need  for  high-level  sponsorship 
but  also  the  necessity  for  creating  a  forum 
for  ongoing  discussions.  This  was  espe¬ 
cially  critical  for  Focus  because,  by  nature, 
MDM  transformations  require  continuous 
debate  and  dialogue  regarding  changes  to 
how  employees  describe,  manipulate  and 
share  the  very  data  that  defines  their  jobs. 

Thus  was  born  Wednesday  Night 
Pizza,  a  weekly  gathering  of  the  execu¬ 
tive  steering  committee  members  (CFOs, 
finance  controllers,  and  IT  leaders  and 
project  managers).  The  meetings  started 
at  5  p.m.  and  occasionally  ran  until  10 
p.m.  “Rarely  did  it  last  less  than  two  or 
three  hours,”  Rosholt  says.  “We  would 
bang  through  all  the  issues  that  changed 
every  day.”  Team  members  sat  face-to- 
face,  over  pizza,  and  worked  through  key 
change  management  and  data  governance 
challenges,  always  sticking  to  the  80/20 
rule  and  always  with  a  silent  nod  to  the 
immutable  24-month  deadline. 

The  fact  that  Rosholt  was  a  regular 
attendee  was  not  lost  on  anyone.  “Having 


36  JANUARY  15,  2008  |  www.cio.com 


ADVERTISING  SUPPLEMENT 


Today's  IT  Leaders  on  Market  Trends 


DATA  CENTER  AUTOMATION 

Being  able  to  automate  key  processes  will  improve  business 
service  and  lead  to  competitive  advantage 


Automation— it’s  what  computers  are  all  about. 

And  yet  the  very  hub  of  the  enterprise  infra¬ 
structure — the  data  center — often  still  relies  on 
a  largely  manually  administered  environment.  In  many 
organizations  even  today,  pockets  of  experts  continue  to 
train  on  and  support  a  variety  of 
heterogeneous  or  disconnected 
toolsets,  databases  and  systems. 

Designing  data  center  en¬ 
vironments  around  technologies 
rather  than  services  leads  to  a  host 
of  problems.  When  IT  organiza¬ 
tions  fail  to  automate  the  systems 
that  deliver  IT  services,  they  are 
unable  to  achieve  a  correlated 
real-time  view  of  the  performance 
of  components  that  constitute  a 

business  service.  So,  they  may  not  know  that  service  qual¬ 
ity  has  degraded  until  users  complain,  and  determining  the 
root  cause  of  problems  may  require  manual  investigation 
and  involve  multiple  experts  before  the  issue  is  resolved. 

An  organization  that  operates  in  this  expensive  and 
reactive  way  cannot  respond  in  real-time  to  avoid  degrada¬ 
tions  and  improve  service  levels  to  the  business.  There’s 
increasing  recognition  by  IT  leaders  that  this  state  of  affairs 
is  untenable,  as  business  demands  more  and  better  IT  ser¬ 
vices,  and  IT  domains  increasingly  share  services,  compo¬ 
nents  and  processes.  In  a  recent  survey  conducted  by  IDG 
Research  Services,  almost  70  percent  of  100  U.S.  organiza¬ 
tions  say  they  have  automated  many  data  center  processes, 
with  just  over  40  percent  of  them  claiming  to  have  also 
achieved  centralized  governance  of  these  processes.  They 
are  being  driven  inexorably  to  greater  automation  by: 

•  The  pace  of  network  and  system  change  and  the 
challenge  of  manually  securing  and  managing  these  in-flux 
environments  as  businesses  expand  to  connect  to  partners, 


suppliers  and  customers; 

•  The  drain  on  IT  resources.  By  automating  change 
management  and  provisioning,  staff  members  can  be  freed 
to  work  on  projects  that  promise  real  business  returns; 

•  The  emergence  of  technologies  that  enhance  the 

business’  productivity  and  ability 
to  innovate  but  increase  IT  man¬ 
agement  complexity; 

•  The  rise  of  best-practice 
frameworks  that  improve  busi¬ 
ness  services  by  connecting  pro¬ 
cesses  across  silos. 

There’s  room  for  improve¬ 
ment,  even  among  those  organi¬ 
zations  that  have  already  bought 
into  automation  in  a  big  way. 

Only  10  percent  of  businesses 
claim  to  have  been  extremely  effective  in  automating  their 
data  centers,  while  43  percent  admit  to  being  not  at  all 
or  only  somewhat  effective.  It’s  vital  that  companies  raise 
their  games  when  it  comes  to  automating,  virtualizing  and 
centralizing  their  complex  and  interdependent  IT  pro¬ 
cesses  in  the  data  center  so  that  they  can 
become  better  service  providers  to  the 
business,  reducing  costs,  improving  ef¬ 
ficiencies,  and  meeting  goals  for  innova¬ 
tion.  Furthermore,  their  eyes  should  be 
on  a  greater  prize:  Bringing  intelligence 
to  the  automation  process. 


Automation  Outlook 

Without  centralized  automation  of  data 
center  processes,  companies  are  putting 
their  competitive  advantage  at  risk.  Con¬ 
sider  this:  82  percent  of  the  respondents 
say  that  automation  over  the  next  one 


About  CI02CI0 
Perspectives:  This 
peer-based  thought 
leadership  program 
analyzes  quantitative 
research  and  tests 
it  via  qualitative 
interviews  with  actual 
CIOs.  The  resulting 
executive  insight  is 
then  disseminated 
via  CXO's  multimedia 
assets.  To  learn  more 
about  CI02CI0 
Perspectives, 
please  contact 
mavery@cxo.com. 


CIO 


Custom  Solutions  Group 


Transforming 
IT  Management 


CI02CIO  |  AUTOMATION  I 


ADVERTISING  SUPPLEMENT 


Today's  IT  Leaders  on  Market  Trends 


to  two  years  will  play  a  significant  or  very  significant  role 
in  their  efforts  to  link  IT  services  with  business  priorities 
and  objectives.  Able  to  give  multiple  answers,  93  percent 
strongly  or  very  strongly  believe  that  automation  is  best 
defined  as  a  tactic  to  improve  service  processes,  while  81 
percent  define  it  as  a  tactic  for  supporting  strategic  goals. 

For  example,  if  you  can’t  auto¬ 
mate  workloads  to  improve  the  overall 
availability  and  performance  of  critical 
business  applications  and  services  in 
today’s  on-demand  and  dynamic  en¬ 
vironments,  how  can  you  support  the 
corporate  mission  to  grow  the  customer 
base  or  expand  into  new  markets?  Au¬ 
tomation  adds  muscle  around  the  IT 
backbone  that  helps  business  reach  its  corporate  goals  by 
improving  operational  efficiency  and  productivity,  service 
level  availability,  performance  and  the  ability  to  deliver  IT 
services  based  on  business  priorities,  while  reducing  hu¬ 
man  error — each  of  which  was  noted  by  respondents  as  an 
important  benefit  of  data  center  automation. 

The  predominant  challenge  (cited  by  59  percent)  to 
automating  data  centers  is  the  transformation  that  will 
be  required  in  the  way  organizations  train  IT  staff.  This 
change  can’t  be  underestimated,  as  it  not  only  disrupts  in¬ 
stitutionalized  practices  but  also  may  be  resisted  by  staff 
who  see  increasing  automation  as  a  threat  to  job  security 
or  the  value  of  their  expertise.  Companies  also  say  they  are 
challenged  by  factors  such  as  the  need  to  develop  an  overall 
strategic  plan  for  automation  and  determine  reliable  per¬ 
formance  metrics  of  its  success. 

Pushing  the  Automation  Envelope 

Two  major  technology  trends  and  one  IT  service  manage¬ 
ment  framework  are  advancing  the  pace  of  automation  in 
the  data  center:  Virtualization,  paired  naturally  as  it  is  with 
data  center  server  consolidation  efforts  (cited,  respectively, 
by  78  and  74  percent),  and  the  IT  Infrastructure  Library 
(ITIL),  noted  by  51  percent  of  survey  respondents. 

Virtualization  changes  the  concepts  of  jobs  and  re¬ 
sources,  potentially  bringing  new  levels  of  dynamism  to 


IT  environments.  It  can  enable  businesses  to  respond  more 
quickly  to  changing  needs  and  lower  capital  costs,  but  it 
also  challenges  IT,  as  the  unpredictability  of  workload  pro¬ 
cessing  demands  increases  in  these  flexible  environments. 

ITIL  is  a  natural  driver  for  automation,  as  the  auto¬ 
mation  of  processes  is  key  to  attaining  the  management  of 
business  services  that  the  framework 
seeks  to  achieve.  The  more  ITIL  pro¬ 
cesses  that  are  put  in  place,  and  the 
better  they  are  integrated  and  auto¬ 
mated,  the  easier  it  will  be  to  predict 
the  ebbs  and  flows  of  business  de¬ 
mands,  so  that  IT  can  effectively  man¬ 
age  supply  in  keeping  with  demand. 

Analytics  Comes  to  Automation 

As  IT  environments  become  more  dynamic,  so  too  must 
the  application  of  “intelligent  automation”  to  these  systems. 
Enter  business  intelligence.  The  future  of  automation,  for 
organizations  with  the  foresight  to  embrace  it,  revolves 
around  leveraging  the  intelligence  of  analytics  to  inform 
organizations’  decisions  about  what  processes  to  automate. 
Very  few  organizations  today — just  13  percent — are  us¬ 
ing  business  intelligence  to  govern  the  automation  of  IT 
processes.  But  59  percent  see  moving  towards  that  goal  as 
important  or  very  important,  and  within  three  years  nearly 
half  the  respondents  plan  to  do  so. 

While  intelligent  automation  may  be  the  future, 
there’s  no  time  like  the  present  to  ponder  your  next  im¬ 
mediate  move  to  drive  automation  deeper  into  the  infra¬ 
structure — and  support  your  organization  in  its  quest  to 
realize  its  strategic  goals. 


Go  to  www.cio.com/whitepapers/ca-automate 

to  download  the  free  white  paper  “Automation:  Key  to  Busi¬ 
ness  Service  Improvement.  ”  Based  on  a  major  survey  by  IDG 
Research  Services,  the  report  features  in-depth  discussions  with 
Cl Os  and  IT  leaders,  and  draws  on  peer  insights  to  help  Cl Os 
move  toward  better  management  and  optimization  of  their 
data  center  automation  initiatives. 


Automation  adds 

MUSCLE  AROUND  THE 
IT  BACKBONE  THAT 
HELPS  BUSINESS  REACH 
ITS  CORPORATE  GOALS. 


ca 


Transforming 
IT  Management 


Custom  Solutions  Group 


CI02CI0  |  AUTOMATION  2 


Business 

Technology 

Leadership 


Executive  Programs 

where  you  need  to  be 


CIO  Executive  Programs  combine  cutting-edge  education  and  networking  opportunities  for 
busy  executives.  Our  programs  attract  the  best  and  brightest  IT  executives  and  our  brand 
is  synonymous  with  the  highest  quality  and  integrity.  These  face-to-face  conferences  are 
regarded  as  the  trusted  networking  resource  for  the  nation’s  CIOs  because  we  know  and 
understand  the  executive  IT  community  better  than  any  other  IT  resource. 


CSO  Perspectives 

March  16-18,  2008 
InterContinental  Buckhead 
Atlanta,  Georgia 

CIO  Perspectives 

April  10,  2008  -  New  York,  New  York 
September  25,  2008  -  San  Francisco,  California 

The  CIO  Pocket  MBA 

April  14-18,  2008 

Boston  University  School  of  Management 
Boston,  Massachusetts 

CIO  Leadership  Event 

May  18-20,  2008 
Sheraton  Boston 
Boston,  Massachusetts 

CIO  &  CSO  Business  Continuity  Forum  2008 

July  15-16,  2008  - 

The  New  York  Marriott  at  the  Brooklyn  Bridge 
New  York,  New  York 


CIO  100  Symposium  &  Awards 

August  24-26,  2008 
The  Broadmoor 
Colorado  Springs,  Colorado 

Digital  ID  World 

September  8-10,  2008 
Hilton  Anaheim 
Anaheim,  California 

CIO|09  The  Year  Ahead 

November  9-1 1 , 2008 
Loews  Coronado  Bay 
San  Diego,  California 


COVER  STORY  |  Master  Data  Management 


the  clarity  of  what  outcomes  you  need 
and  having  [Rosholt’s]  decision  making 
weekly  was  absolutely  critical,”  Keller 
says.  Or  as  Gopal  puts  it,  “We  needed 
that  hammer  to  remove  some  of  the  bot¬ 
tlenecks.” 

Looking  back,  Rosholt  says  the  cost  of 
the  pizza  was  a  cheap  price  for  what  the 
group  accomplished  every  Wednesday. 
“There  were  so  many  lessons  learned  on 
the  issues  around  change  management 
and  communication  and  how  you  line 
people  up  to  do  their  jobs,”  he  says. 

On  those  front  lines,  the  work  was 
grueling.  “There  were  some  days  we  won¬ 
dered  if  there  would  be  a  light  at  the  end 
of  the  tunnel,  and  were  we  ever  going  to 
get  through  this?”  recalls  Butler.  “We  had 
two  years.  The  clock  was  ticking.” 

Keller  was  acutely  aware  of  the 
demands  on  his  IT  group.  “Were  there 
any  times  when  people  were  working 
weekends  and  holidays  and  the  sched¬ 
ule  got  questioned?  Yes,”  he  says.  In  fact, 
according  to  Keller,  the  280  members  of 
the  IT  team  eventually  would  put  in  1.2 


million  hours,  including  overtime,  on  the 
project. 

But  by  fall  2005,  there  was  light  at  the 
end  of  the  tunnel.  The  team  could  see  the 
new  business  processes  and  financial  data 
governance  mechanisms  actually  being 
used  by  Nationwide  employees.  And  it 
all  was  working.  “They  saw  the  value 
they  were  creating,”  recalls  Butler.  “The 
‘aha’  moment  came  when  we  finally  got  a 
chance  to  look  in  the  rear-view  mirror.” 

At  Last,  the  ROI 

That  happy  “aha”  moment  didn’t  last  long. 
More  than  a  year  after  the  final  wave  of 
Focus  was  rolled  out  to  the  last  business 
unit,  the  team  is  still  working  to  finish 
that  remaining  20  percent  of  function¬ 
ality— those  requests  that  were  set  aside 
during  the  initial  push— and  watching  as 
data  volume  on  the  system  has  reached 
more  than  150  million  financial  transac¬ 
tions  per  month. 

“Do  [the  executives]  have  things  they 
would  have  loved  for  us  to  go  after,  to  get 
to  the  next  level  of  evolution?  I  think  so,” 


says  Gopal.  Improvements  to  the  system, 
including  enhancements  to  depth  at  which 
executives  can  dig  into  the  financial  data, 
are  ongoing,  Gopal  notes.  “We’ve  come  a 
hundred  miles,  and  we  have  another  hun¬ 
dred  to  go.” 

Nationwide  execs  concede  that  the  sys¬ 
tem  is  still  evolving  but  say  substantial 
gains  are  everywhere.  The  first  benefit 
of  the  transformation  that  Rosholt  men¬ 
tions  is  something  that  didn’t  happen. 
“You  go  through  a  project  such  as  this, 
in  a  period  of  extreme  regulatory  and 
accounting  oversight,  and  these  things 
can  cough  up  more  issues,  such  as  earn¬ 
ings  restatements.  We’ve  avoided  that,” 
he  says.  “That  doesn’t  mean  we’re  perfect, 
but  that’s  one  thing  everyone’s  amazed 
at.  We  went  through  all  this  change  and 
nothing  coughed  up.  Our  balance  sheet 
was  right.”  Therefore,  Nationwide  has  one 
less  thing  to  worry  about,  one  more  thing 
to  be  confident  about. 

Next,  Rosholt  notes  that  users  of  the 
Focus  system  are  experimenting  with  its 
new  features.  For  example,  Nationwide’s 


To  easily  mobilize  your  global  workforce,  press  here 


MDM  license  and 
service  revenue 
from  software 
vendors  and  systems 
integrators  will  grow 
from  $1.1  billion  in 
2006 to  more  than 
$6.6  billion  in  2010. 


Source:  Forrester  Research 


Scottsdale  Insurance  business 
unit  will  soon  be  able  to  iden¬ 
tify  and  analyze  its  most  prof¬ 
itable  customers.  “All  of  this 
used  to  be  in  an  Excel  spread¬ 
sheet  that  they  always  had  to 
reconcile  into  the  financials,” 

Rosholt  says.  “Now  we  can 
understand  what  value  propo¬ 
sition  we  bring  our  customers 
and  what  value  proposition 
our  customers  bring  us.  This 
is  a  big  change  for  our  indus¬ 
try.”  Nationwide  now  also  has 
the  flexibility  to  change  the 
regional  structures  in  how 
it  designates  its  core  lines 
of  businesses.  For  example, 

Rosholt  says  that  when  executives  decide 
to  install  a  new  geography-based  report¬ 
ing  structure  in  the  property  and  casualty 
insurance  operations,  moving  a  business 
line  from  one  state  or  region  (Midwest)  to 
another  (Northeast),  the  process  “would 
have  taken  nine  months,”  he  says.  Now  it 
takes  just  a  couple  of  days.  The  end  result 


is  that  execs  and  business-unit  managers 
can  now  get  a  clearer  and  more  accurate 
picture  of  how  Nationwide’s  state  and 
regional  lines  are  doing— and  get  it  much 
faster. 

Last,  but  certainly  not  least,  Rosholt 
can  now  give  Jurgensen  a  more  imme¬ 
diate,  accurate  and  comprehensive  pic¬ 


ture  of  Nationwide’s  financial 
health. 

It  took  nearly  30  days  to 
close  Nationwide’s  books  for 
2006.  With  the  new  system 
in  place,  the  amount  of  time 
necessary  has  declined  sig¬ 
nificantly:  19  days  to  close  Q1 
2007, 16  days  for  Q2, 15  days 
for  Q3.  The  target  is  to  get  that 
down  below  10  days  by  2010. 

As  for  the  goal  to  grow 
Nationwide’s  net  income,  the 
company  recorded  $1.1  billion 
in  2005  and  topped  that  with 
$2.1  billion  in  2006.  For  those 
on  the  Focus  team,  that’s  the 
kind  of  financial  news  that 
is  always  a  pleasure  to  deliver  to  senior 
executives. 

“It’s  nice,”  says  Butler,  “when  they  can  see 
their  financials  in  a  timely  manner.”  I3EI 


Senior  Writer  Thomas  Wailgum  can  be  reached 
at  twailgum@cio.com.  To  comment  on  this 
story,  go  to  www.cio.com/article/167452. 


Efficiency 


It's  a  Palm  thing. 


Bring  maximum  productivity  to  your  team  members. 
With  minimal  effort  on  your  part.  Palm®  Treo™  750  smart 
device  from  AT&T  with  Windows  Mobile®  6. 

Pick  one  up  today  for  only  $199?  Learn  more,  or  buy  now 
atwww.palm.com/productivity  or  1 -866-799-PALM. 


/  Mflr  Windows 

m  Mobile 


at&t 


©  2007  AT&T  Intellectual  Property.  All  rights  reserved.  AT&T  and  the  AT&T  logo  are  trademarks  of  AT&T  Intellectual  Property. 
*After  S150  mail-in  rebate  with  2-year  agreement  on  unlimited  data  plan  of  $39.99/month  or  higher  and  eligible  voice  plan. 


TOXIC 

IS  YOUR 


3PAR  customers  can  buy  half  the  storage  capacity  required  with 
traditional  storage  arrays,  reducing  energy  consumption  and 
the  related  toxic  impact  on  the  environment. 

With  Carbon  Neutral  Storage,  3PAR  purchases  carbon  offsets  for 
the  disk  capacity  sold  with  Thin  Provisioning.  So  far  this  program 
has  offset  more  than  5  million  pounds  of  carbon  emissions  — 
equivalent  to  taking  500  cars  off  the  road  for  a  year. 

Visit  www.3PAR.com/thinkgreen  to  access  a  complimentary 
Gartner  report  on  thin  provisioning. 


3  PAR 

Serving  Information 


Think  Thin.  Think  Green.  Think  3PAR. 


Virtualization 


You’ve  fallen  in  love  with 
virtualization.  Welt  why  not? 
It  can  lower  costs  and 
supercharge  your  ability  to 
respond  to  business  needs. 
All  good.  But  it  also  raises 
your  risk  profile.  Not  so 
good.  Here  are  10  ways  to 
mitigate  those  risks. 


BY  LAURIANNE  MCLAUGHLIN 


Last  year,  the  big  question  about  virtualization  in  corporate  data  centers  was, 


Reader  ROI 

::  Tools  for  managing 
security  in  virtual 
environments 

::  The  problem  of 
rogue  VMs 

::  Network  risks 
explained 


How  much  money  and  time  will  this  save  us? 

This  year,  the  big  question  will  be,  How  secure  are  we? 

Which  is  an  extremely  difficult  question  to  answer.  A  slew  of  vendors  and 
consultants  trying  to  sell  security  products  and  services  have  conflicting 
opinions  about  the  risks  inherent  in  virtualization  and  how  to  prevent  them. 
At  the  same  time,  some  security  researchers  are  beginning  to  talk  about  risks 
that  have  yet  to  emerge,  such  as  the  possible  appearance  of  malware  targeted 
at  hypervisors. 

“There’s  a  lot  of  noise  out  there  on  virtualization,”  says  Chris  Wolf,  senior 
analyst  for  market  research  firm  Burton  Group.  “It  can  be  distracting.” 

Adding  fuel  to  the  fire  is  the  fact  that  many  IT  organizations  admit  that 
they  prioritized  operational  speed  over  most  everything  else— including  secu¬ 
rity  planning— when  they  started  creating  hundreds  of  new  VMs  (virtual 
machines— self-contained  operating  environments  that  behave  as  if  they 
are  a  separate  computer)  in  2007.  (That’s  not  surprising  considering  that 


PHOTO  BY  ISTOCKPHOTO 


www.cio.com  |  JANUARY  15,  2008  41 


Virtualization 


. . « . 

ON  THE  VIRTUAL  THREAT  HORIZON 

CIOs  must  learn  to  distinguish  real  from  theoretical  risk 

“There  hasn’t  been  a  significant  security  breach  in  virtualization— not  a  public 
one,”  cautions  IDC  analyst  Stephen  Elliott.  (IDC  is  a  sister  company  of  CIO.)  But, 
he  says,  "You  have  to  figure  it’s  just  a  matter  of  time.” 

IT  leaders  must  deal  with  virtualization  security  as  they’ve  dealt  with  other 
threats— with  tools,  money,  process  and  vigilance.  But  they  also  need  to  sepa¬ 
rate  real  threats  from  theoretical  ones,  and  right  now  that’s  not  so  easy. 

So  what’s  real  and  what’s  not? 

For  starters,  there’s  been  a  lot  of  talk  about  hypervisor  malware  and  weak¬ 
nesses.  Last  summer,  Intelguardians  Network  Intelligence,  a  security  consultancy, 
suggested  that  a  hacker  could  break  out  of  a  VM’s  guest  OS  into  the  server’s  host 
OS,  opening  the  possibility  of  installing  rootkits  and  other  malware  on  the  VMs. 

Other  researchers  discuss  the  possibility  of  a  “Blue  Pill”  attack,  which  uses  a 
virtual  rootkit  to  hide  in  the  hypervisor,  cloaked  from  today’s  security  tools.  But  Blue 
Pill  “never  really  materialized,”  says  Chris  Wolf,  senior  analyst  for  market  research 
firm  Burton  Group.  As  for  the  hypervisor  threats,  he  terms  them  “exaggerated.” 

Tom  Carter,  Microsoft  Systems  Administrator  at  Arch  Coal,  calls  hypervisor 
malware  and  Blue  Pill  "low  risk”  but  he’s  not  dismissing  them.  Protecting  serv¬ 
ers  from  hypervisor  attacks  is  one  goal  of  Arch  Coal’s  security  team  as  it  investi¬ 
gates  new  tools,  including  Reflex  Security’s  virtual  security  appliance  product. 

Perhaps  more  troubling,  says  Chris  Hoff,  chief  architect  for  security  inno¬ 
vation  at  Unisys,  is  that  IT  has  real  trouble  seeing  into  the  traffic— and  conse¬ 
quently  the  potential  troubles— running  between  VMs.  IT  very  much  needs  tools 
to  be  able  to  peek  into  that  inter-VM  traffic,  Hoff  says. 

A  more  immediate  problem  is  figuring  out  the  division  of  duties  among  IT  per¬ 
sonnel  as  access  to  more  VMs  gets  loaded  onto  more  management  consoles.  That’s 
the  kind  of  security  issue  CIOs  should  worry  about  before  Blue  Pill,  Hoff  says. 

Of  course,  the  more  high-profile  and  mission-critical  the  apps  you  virtualize, 
the  greater  the  risk.  "We’ve  recognized  that  the  risk  is  expanding,”  says  Arch 
Coal  CIO  Michael  Abbene.  "What  we  could  live  with  a  year  ago,  we  won’t  be  able 
to  live  with  six  months  from  now.”  -L.M. 


most  enterprises  have  started  virtualizing 
their  testing  and  application  development 
boxes,  not  servers  running  core  business 
apps.) 

“We’re  finding  security  is  the  forgotten 
stepchild  in  the  virtualization  build-out,” 
says  Stephen  Elliott,  IDC’s  research  direc¬ 
tor  for  enterprise  systems  management 
software.  (IDC  is  a  CIO  sister  organiza¬ 
tion.)  “That’s  scary  when  you  think  about 
the  number  of  production-level  VMs.” 
According  to  IDC,  75  percent  of  compa¬ 
nies  with  1,000  or  more  employees  are 
employing  virtualization  today. 

And,  according  to  Neil  MacDonald, 
VP  at  consultancy  Gartner,  60  percent 
of  production  VMs  will  be  less  secure 
than  their  physical  counterparts  at  least 
through  2009. 

But  much  of  the  discussion  about  virtu¬ 
alization  security  has  been  flawed  to  date, 
says  Chris  Hoff,  chief  architect  for  security 
innovation  at  Unisys,  because  people  often 
frame  the  discussion  by  asking  whether 
virtual  servers  are  more  secure  than  physi¬ 
cal  ones  or  less  so. 

That’s  the  wrong  question,  says  Hoff, 
who  blogs  frequently  on  this  topic.  The 
right  question,  he  says,  is,  Are  you  apply¬ 
ing  what  you  already  know  about  security 
to  your  virtualized  environment? 

Virtual  Problems, 

Real  Solutions 

“People  get  wound  up  about  theoreticals 
when  in  reality  there’s  a  clear  set  of  things 
you  can  do  today  [to  address  security],” 
Hoff  says.  Certainly,  virtualization  does 
introduce  some  new  security  concerns, 
but  first  things  first:  “We  have  to  be  prag¬ 
matic.  Let’s  make  sure  we  architect  the 
virtual  network  as  well  as  we  architect 
the  physical  networking.” 

As  an  example,  he  points  to  a  virtualiza¬ 
tion  management  tool  such  as  VMware’s 
VMotion,  which  is  helpful  for  moving 
VMs  around  in  times  of  machine  trouble, 
but  which  can  also  allow  someone  with 
admin  rights  to  combine  two  VMs  that, 
in  the  physical  world,  would  have  been 
carefully  separated  in  terms  of  network 
traffic  for  security  reasons. 

Right  now,  some  IT  organizations  are 


making  a  fundamental  mistake:  They’re 
letting  the  server  group  run  the  vir¬ 
tualization  effort  almost  single-hand¬ 
edly-leaving  the  IT  team’s  security, 
storage  and  networking  experts  out  of 
the  loop.  This  can  create  security  prob¬ 
lems  that  have  nothing  to  do  with  inher¬ 
ent  weaknesses  of  the  virtualization 
technology  or  products.  “This  is  a  perfect 
opportunity  to  bring  the  teams  together,” 
Hoff  says. 

“Virtualization  is  90  percent  planning,” 
says  Burton  Group’s  Wolf.  “The  planning 
has  to  include  the  whole  team,  including 
the  network,  security  and  storage  teams.” 

Unfortunately  in  the  past,  most  IT 
teams  ran  fast  and  loose  with  their  vir¬ 


tualization  efforts  and  now  must  play 
catch-up.  What  if  you  forgot  about  the 
planning  Wolf  is  talking  about,  not  to  men¬ 
tion  meeting  with  your  network,  security 
and  storage  teams?  Are  you  hopelessly 
behind  the  eight  ball  as  you  expand  your 
number  of  VMs  and  put  higher-profile 
apps  on  them? 

Luckily  for  you,  no. 

“To  catch  up,  start  with  a  good  audit  of 
your  virtual  infrastructure,”  using  tools  or 
consultants,  Wolf  says.  “Then  you  really 
have  to  work  backwards.”  Wolf  suggests 
checking  out  audit  tools  from  CiRBA  and 
PlateSpin  for  this  purpose. 

Here  are  10  things  you  can  do  to  secure 
your  virtual  environment. 


42  JANUARY  15,  2008  |  www.cio.com 


Get  the  full  story  in  one  easy  click.  Visit  hp.com/go/storageutopia6 

1.-800-888-0306 


Alternative  Thinking  About  Storage: 


TEN 


STEPS 


IS  FIVE 


MANY 


Being  a  storage  expert  isn't  just  for  the  experts  anymore. 
The  HP  StorageWorks  1  200  All-in-One  Storage  System  is 
simple  to  use  and  can  be  implemented  in  less  than  ten 
mouse  clicks.  It's  the  first  storage  area  network  designed 
for  almost  everyone. 


Technology  for  better  business  outcomes. 


Mm 


HP  StorageWorks  1200  All-in-One  Storage  System 

Integrated  file  serving,  data  protection  and  application  data  storage  in  a  single, 
affordable  system 

•  Dual-Core  Intel® Xeon®  Processor1 

•  Microsoft  Windows  Storage  Server  2003  R2 

•  Up  to  9  TB  Capacity 


1 .  Dual-Core  is  a  new  technology  designed  to  improve  performance  of  multithreaded  software  products  and  hacdware-aware  multitasking  operating  systems  and  may  require  appropriate  operating  system  software  tor  lull  benetit;  check  with  software  provider  to  determine  suitability; 
not  all  customers-or  software  applications  will  necessarily  benefit  from  use  of  this  technology.  Intel's  numbering  is  not  a  measurement  of  higher  performance.  Intel,  Intel  logo.  Intel  Inside,  Intel  Inside  logo  and  Intel  Xeon  are  trademarks  or  registered  trademarks  ot  Intel  Corporation 
or  its  subsidiaries  in  the  United  States  and  other  countries.  l.P.  Microsoft  and  Windows  are  registered  trademarks  ot  Microsoft  Corporation  in  the  United  States  and/or  other  countries.  ©2007  Hewlett-Packard  Development  Company,  L.P.  The  information  contained  herein  is 

subject  to  change  without  notice.  :  -  '  -i / 


Virtualization 


SECURITY  IS  THE  FORGOTTEN  STEPCHILD 
IN  THE  VIRTUALIZATION  BUILD-OUT. 

THAT'S  SCARY  WHEN  YOU  THINK  ABOUTTHE 
NUMBER  OF  PRODUCTION-LEVEL  VIRTUAL 

MACHINES.”  -STEPHEN  ELLIOTT,  ANALYST,  IDC 


10  STEPS 

for  Real  Security 
in  a  Virtual  World 

No  more  sprawl 

CIOs  such  as  Arch  Coal’s  Michael  Abbene 
understand  the  problem  of  VM  sprawl 
full  well.  VMs  take  minutes  to  create; 
they’re  great  for  isolating  certain  com¬ 
puting  jobs.  But  the  more  VMs  you  have, 
the  more  security  risk  you  assume.  And 
you’d  better  be  able  to  keep  track  of  all 
those  VMs. 

Like  many  others,  “we  started  by  vir¬ 
tualizing  very  low-profile  test  and  devel¬ 
opment  boxes,”  Abbene  says.  “Then  we 
moved  some  low-profile  application 
servers.  We’ve  been  moving  up  as  we’ve 
been  successful.”  The  company  currently 
has  about  45  production  VMs,  he  notes, 
including  Active  Directory  servers  and 
some  application  and  Web  servers. 

How  does  Abbene  address  server 
sprawl?  At  Arch  Coal,  the  IT  team  is  rigor¬ 
ous  in  its  requirements  for  allowing  new 
VMs  into  the  environment.  “People  have  to 
go  through  the  same  process  to  get  a  server, 
whether  it’s  physical  or  virtual,”  says  Tom 
Carter,  Arch  Coal’s  Microsoft  Systems 
Administrator,  who  works  for  Abbene. 

Arch  Coal’s  process  involves  a  change 
control  board  (made  up  of  a  cross  section 
of  IT  staffers  serving  on  a  rotating  basis) 
that  gives  thumbs  up  or  down  to  new  vir¬ 
tualized  server  requests.  This  means,  for 
example,  that  people  in  the  applications 
group  just  can’t  build  a  VMware  server 
and  start  creating  VMs,  though  Abbene 
has  had  developers  ask  to  do  just  that. 

VMware’s  VirtualCenter  management 
tools  as  well  as  tools  from  Vizioncore  can 
also  help  manage  VM  sprawl. 

Ignore  VM  sprawl  at  your  peril,  says 
IDC’s  Elliott:  VM  sprawl  causes  lag  times 
in  your  ability  to  manage,  maintain  per¬ 
formance  and  provision.” 

©  Apply  existing 
processes  to  VMs 

The  sexiest  part  of  virtualization  may 
be  its  speed.  You  can  create  VMs  in  min¬ 
utes,  move  them  around  and  deliver  new 


computing  power  to  the  business  in  days 
instead  of  weeks.  It’s  fun  to  drive  fast.  But 
slowing  down  long  enough  to  think  about 
virtualization  as  part  of  your  existing  IT 
processes  will  help  prevent  security  prob¬ 
lems  from  arising  in  the  first  place,  says 
IDC’s  Elliott.  You’ll  also  save  some  man¬ 
agement  headaches  down  the  road. 

“Think  about  virtualization  not  just 
from  a  technology  standpoint  but  from 
a  process  one,”  Elliott  advises.  If  you’re 
using  ITIL  to  guide  your  IT  processes, 
think  about  how  virtualization  fits  into 
that  framework  or  any  other  best-practice 
framework  you’re  using.  “If,  for  example, 
you  have  a  server-hardening  document 
[prescribing  a  standard  set  of  security  and 
setup  rules  for  a  new  server],”  Hoff  says, 
“you  should  do  the  same  set  of  things  to  a 
virtual  server  as  to  a  physical  one.” 

“We  take  our  best  practices  for  secur¬ 
ing  a  physical  server  and  apply  those  to 
every  VM  on  the  box,”  Abbene  says.  Steps 
like  hardening  the  OS,  running  antivirus 
on  every  VM  and  ensuring  patch  man¬ 
agement  keep  those  virtual  boxes  in  tune 
with  the  physical  ones,  he  says. 

©  Review  your 
security  toolkit 

Do  you  need  a  new  suite  of  security  and 
management  tools  for  your  virtualized 
environment?  Probably  not.  Starting  with 
your  existing  security  toolset  and  applying 
it  to  the  virtual  environment  makes  sense, 
says  Hoff.  But  do  ask  your  vendors  about 
how  they’re  addressing  virtualization 
risks.  “There’s  a  false  sense  of  security  in 
relation  to  adopting  physical  tools  for  the 
virtual  environment,”  IDC’s  Elliott  says.  At 
the  same  time,  he  adds,  the  virtualization 
market  is  still  too  young  to  expect  mature 
new  tools  designed  with  virtualization  in 
mind.  “Don’t  assume  the  platform-level 


tools  [such  as  those  from  VMware]  are 
good  enough  for  you,”  Elliott  says.  “Press 
your  legacy  vendors  to  do  more,  and  pro¬ 
vide  guidance  for  them.” 

Jim  DiMarzio,  CIO  at  Mazda  North 
America,  adheres  to  this  strategy.  Like 
Arch  Coal,  Mazda  N.A.  runs  VMware’s 
ESX  Server  3  software  at  the  core  of  its 
virtualized  servers  and  has  been  ramp¬ 
ing  up  its  number  of  VMs.  DiMarzio  says 
he  expects  to  have  about  150  production 
VMs  running  by  March  2008.  He’s  using 
them  for  Active  Directory  servers,  print 
servers,  CRM  application  servers  and 
Web  servers— the  last  being  a  mission- 
critical  app  since  Mazda  uses  Web  apps 
to  serve  information  to  all  its  dealers. 

To  secure  these  VMs,  DiMarzio  decided 
to  continue  with  his  existing  firewall  and 
security  products,  including  IBM’s  Tivoli 
Access  Manager,  Cisco  firewall  tools  and 
Symantec’s  IDS  monitoring  tools. 

At  Arch  Coal,  Abbene  and  his  team  are 
sticking  with  the  security  tools  they’re 
already  using  while  investigating  tools 
from  startups  BlueLane  and  Reflex  Secu¬ 
rity.  “The  [legacy]  security  and  change 
vendors  are  behind,”  Abbene  says. 

BlueLane  claims  its  VirtualShield 
product  for  VMware  can  protect  virtual 
machines  even  in  cases  where  patches 
are  out  of  date,  as  well  as  automatically 
scanning  for  possible  problems,  updat¬ 
ing  problem  areas  and  protecting  against 
some  remote  threats. 

Reflex  Security’s  Virtual  Security 
Appliance  (VSA),  which  Hoff  describes— 
along  with  BlueLane’s  software— as  one  of 
the  few  emerging  products  worth  a  CIO’s 
attention  right  now,  serves  as  a  virtual 
intrusion  detection  system  (IDS),  adding  a 
layer  of  security  inside  the  physical  boxes 
where  the  VMs  live. 

Abbene  says  his  IT  group  has  also 


44  JANUARY  15,  2008  |  www.cio.ccm 


!#'#*#^##**##«*#***»*i**#*##***'******»l 


sw*H>rnhmiri!u|| 

PANEL »1 

Don't  touch  it.  Don't  move  it. 

Contrary  to  what  they  might  say,  VoIP  isn't  synonymous 
with  "starting  over"  (a.k.a.  ripping  and  replacing).  That's  because 
it's  no  longer  about  hardware.  It's  actually  about  software. 
Now  you  can  keep  your  hardware — your  PBX,  your  gateways, 
even  your  phones.  Move  to  VoIP  with  software.  Software  that 


integrates  with  Active  Directoryf  Microsoft®  Office,  Microsoft 
Exchange  Server,  and  your  PBX.  Maximize  your  current  PBX 
investment  and  make  it  part  of  your  new  software-based  VoIP 
solution  from  Microsoft.  You're  much  closer  to  VoIP  than  you 
realize.  Learn  more  at 
microsoft.com/voip 


Your  potential.  Our  passion 

Microsoft 


LIMITING  ADMIN-LEVEL  ACCESS  TO 
VIRTUAL  MACHINES  IS  CRITICAL  OUR 

APPLICATION  PEOPLE  HAVE  ACCESS  TO 
ASHARE.ORTHE  MINIMUM  ACCESS,  NOT 
ACCESS  TO  THE  OPERATING  SYSTEM.” 

-TOM  CARTER,  INFORMATION  SECURITY,  ARCH  COAL 


discussed  adding  a  second  internal  fire¬ 
wall  to  further  isolate  the  VMs  but  he’s 
concerned  there  might  be  a  performance 
impact  on  the  virtualized  applications. 

IDC’s  Elliott  cites  a  few  other  virtual¬ 
ization  management  and  security  tools 
worth  examining:  PlateSpin,  for  physi- 
cal-to-virtual  workload  conversion  tools 
and  workload  management  tools;  Vizion- 
core,  for  file-level  backup  tools;  Akorri,  for 
performance  management  and  workload 
balancing  tools;  and  storage  firm  Equal- 
Logic  (recently  acquired  by  Dell),  known 
for  iSCSI  storage-area  network  (SAN) 
products  optimized  for  virtualization. 

®  Love  your  embedded 
hypervisor 

The  hypervisor  layer  on  a  server  serves 
as  a  foundation  for  housing  the  VMs. 
VMware’s  recently  announced  ESX 
Server  3i  hypervisor,  designed  for  secu¬ 
rity  reasons  to  be  very  slim  (32MB),  does 
not  include  a  general-purpose  OS.  (No  OS 
means  no  OS  maintenance.) 

Hardware  vendors  like  Dell  and  HP 
have  recently  said  that  they’ll  ship  embed¬ 
ded  versions  of  the  VMware  hypervisor 
on  their  physical  servers.  In  basic  terms, 
an  embedded  hypervisor  is  safer  because 
it’s  smaller,  says  IDC’s  Elliott.  “The  larger 
the  code  base,  the  larger  the  opportunity 
for  breaches,”  he  says.  “This  becomes  part 
of  your  architecture  decision.” 

Embedded  hypervisors  will  be  a  big 
trend,  Elliott  says,  and  you  can  expect  to 
see  them  from  most  server  vendors,  as 
well  as  from  some  companies  that  haven’t 
played  in  this  space  before.  Phoenix  Tech¬ 
nologies,  a  market  leader  in  the  BIOS  soft¬ 
ware  field,  recently  announced  that  it’s 
getting  into  the  hypervisor  game  with  a 
product  called  HyperCore.  It’s  a  hypervi¬ 


sor  for  desktop  and  laptop  PCs  that  will 
let  users  turn  on  the  machine  and  use  a 
basic  Web  browser  and  e-mail  client  with¬ 
out  waiting  to  boot  Windows.  (HyperCore 
will  be  embedded  in  the  machine  BIOS.) 

Competition  and  innovation  in  the 
hypervisor  market  would  be  good  for 
enterprises,  Hoff  says.  The  result  could 
be  companies  slugging  it  out  to  deliver  the 
slimmest,  smartest  hypervisor  software. 

“Whether  it’s  Phoenix  or  someone  else, 
there’s  a  very  interesting  battle  of  these 
hypervisors  becoming  the  next  great  OS,” 
Hoff  says. 

Safety  isn’t  the  only  benefit  of  an 
embedded  hypervisor.  Mazda’s  IT  group 
is  looking  forward  to  upcoming  Dell 
servers  with  embedded  hypervisors  for 
VMware  ESX  server.  “One  of  the  features 
we’re  waiting  for  with  Dell’s  embedded 
ESX  is  that  all  the  VM  images  can  be  on 
the  SAN,”  says  DiMarzio’s  IT  systems 
manager,  Kai  Sookwongse.  “So  when  we 
start  up  the  server,  it  can  boot  up  from 
the  image  on  the  SAN.”  This  centralizes 
administration  and  security. 

?  Don’t  overassign 
VM  rights 

When  you  give  admin-level  access  to  a 
VM,  you  give  access  to  all  the  data  on  that 
VM.  Think  about  what  kind  of  accounts 
and  access  your  staffers  in  charge  of 
backup  tasks  really  need.  “Some  ven¬ 
dors  are  not  even  following  VMware’s 
best  practices  for  VMware  Consoli¬ 
dated  Backup  themselves,”  says  Burton 
Group’s  Wolf. 

Arch  Coal  makes  it  a  point  to  limit 
admin  access  to  its  VMs,  says  Paul  Telle, 
information  security  administrator,  not¬ 
ing  that  his  security  colleague  Tom  Carter 
and  Carter’s  boss  are  among  a  very  small 


group  with  those  rights  at  Arch  Coal. 

Application  developers,  for  example, 
get  minimal  access.  “Our  application 
people  have  access  to  a  share,  or  the  mini¬ 
mum  access,  not  access  to  the  OS,”  Carter 
says.  This  helps  control  VM  sprawl  while 
increasing  security. 

Keep  an  eye  on 
provisioning 

Some  enterprises  are  overprovisioning 
storage  on  SANs  today,  says  Wolf.  It’s  not 
that  you’re  provisioning  too  much  stor¬ 
age  overall;  it’s  that  you  may  be  letting 
the  wrong  VMs  share  a  part  of  the  SAN, 
he  says. 

If  you’re  working  with  VMotion, 
VMware’s  tool  for  moving  VMs  around, 
you’re  assigning  some  zoned  storage  in 
SANs.  But  you  may  want  to  make  that 
storage  assignment  more  granular,  as 
you  would  in  the  physical  world.  Look¬ 
ing  forward,  N-port  ID  virtualization— a 
technique  that  lets  IT  assign  storage  to 
just  one  VM— is  an  option  worth  inves¬ 
tigating,  says  Wolf. 

VMs  need  real  space 

Network  traffic  risks  can  be  overlooked 
in  virtual  environments,  especially  if 
IT  leaders  fail  to  bring  networking  and 
security  staffers  to  the  table  during  virtu¬ 
alization  planning.  “A  lot  of  organizations 
simply  use  performance  as  the  metric  of 
how  to  consolidate,”  Wolf  says.  (When 
evaluating  which  application  servers  to 
colocate  as  VMs  on  one  physical  box,  IT 
teams  tend  to  focus  on  how  performance- 
hungry  those  application  servers  will  be, 
since  you  want  to  avoid  asking  any  one 
physical  box  to  bear  too  much  load.)  “They 
forget  that  because  of  security  restrictions 
on  network  traffic,  they  shouldn’t  locate 
these  VMs  together,”  Wolf  says. 

For  example,  some  CIOs  have  decided 
not  to  allow  any  virtualized  servers  in  the 
DMZ,  the  subnetwork  that  houses  exter¬ 
nal  services  to  the  Internet,  like  e-com- 
merce  servers. 

If  you  do  have  some  VMs  in  the  DMZ, 
you  may  want  to  physically  separate 
those  network  segments  from  some  of 
your  other  systems— for  example,  a  criti- 


46  JANUARY  15,  2008  |  www.cio.com 


Pakistan,  one  of  the  leading 
Information  Technology  destinations  offers 
tremendous  growth  and  investment 
opportunities  as  reflected  in  its  $  2.8  billion 
industry  size,  $1.4  billion  annual  export 
revenue  and  over  50%  annual  IT  export 
growth.  Achieving  remarkable  success  in 
BPO,  Animation,  IT  enabled  services,  and 
financial  market  solutions,  Pakistan  offers 
the  best  solution  for  your  IT  needs. 


PAKISTAN 


www.pseb.org.pk  I  x°p  o  rtt  wb  o  arr  d 


“THE  GREATEST  THREAT  IS  ON  THE 
CLIENT  SIDE.  [VIRTUALIZED  DESKTOP 
MACHINES]  OFTEN  ARE  NOT  EVEN  AT 
THE  RIGHT  PATCH  LEVEL.” 

-CHRIS  WOLF,  ANALYST,  BURTON  GROUP 


cal  Oracle  database  server,  Wolf  says. 

At  Arch  Coal,  the  IT  team  thought 
about  the  DMZ  from  the  start  and  con¬ 
sequently  it  has  deployed  virtual  servers 
on  the  internal  LAN  but  nowhere  public 
facing.  “That  was  a  key  early  decision,” 
Abbene  says.  The  company  has  some 
secure  FTP  servers  and  some  servers 
doing  lightweight  electronic  commerce  in 
the  DMZ,  but  it  has  no  plans  to  introduce 
VMs  there,  he  says. 

Worry  about  the 
switches 

When  is  a  switch  not  a  switch?  “Some 
virtual  switches  behave  like  a  hub 
today— every  port  is  mirrored  to  all  the 
other  ports  on  the  virtual  switch,”  Bur¬ 
ton  Group’s  Wolf  notes.  Microsoft  Virtual 
Server  presents  this  problem  today,  Wolf 
says,  but  VMware’s  ESX  Server  does  not, 
nor  does  Citrix  XenServer.  “People  hear 
the  term  switch  and  think  isolation  exists. 
It  really  varies  by  vendor,”  he  says. 


(Microsoft  says  the  switch  issue  will 
be  addressed  in  Microsoft’s  upcoming 
Viridian  server  virtualization  software 
product.) 

@  Monitor  for  rogue  VMs 
on  desktops  and  laptops 

And  you  thought  servers  were  your  only 
worry.  “The  greatest  threat  is  on  the  client 
side— rogue  VMs,”  Burton  Group’s  Wolf 
says.  What’s  a  rogue  VM?  That’s  when 
your  users  download  a  free  program  like 
VMware  Player,  which  lets  a  desktop  or  lap¬ 
top  PC  user  run  any  VM  created  by  VMware 
Workstation,  Server  or  ESX  Server. 

Many  users  now  like  to  use  VMs 


on  their  desktop  or  laptop  to  separate 
pieces  of  work,  or  to  divide  up  work  and 
home-related  activities.  Some  people  use 
VMware  Player  to  run  Linux  as  a  base  OS 
and  create  a  VM  for  running  Windows 
apps.  “Those  VMs  often  are  not  even  at 
the  right  patch  level,”  Wolf  says.  “Those 
systems  get  exposed  to  your  network.  And 
now  all  of  these  unmanaged  OSes  can  float 
around. 

“There’s  a  lot  of  risk  you’re  add¬ 
ing  there,”  Wolf  continues,  noting  that 
machines  running  rogue  VMs  could 
spread  viruses— or  worse— to  your 
physical  network.  For  example,  he  says, 
it  would  be  very  easy  for  someone  to  load 


Virtualization 


up  a  DHCP  server  (dynamic  host  configu¬ 
ration  protocol— a  protocol  for  assigning 
dynamic  IP  addresses  to  devices  on  a  net¬ 
work)  to  give  out  fake  IP  addresses.  That’s 
effectively  a  denial-of-service  attack,  he 
notes.  At  the  very  least,  you’re  going  to 
waste  IT  resources  trying  to  track  down 
the  problem. 

How  can  you  prevent  rogue  VMs?  You 
should  have  controls  regarding  who  gets 
VMware  Workstation,  for  starters,  since 
it’s  needed  to  create  the  VMs.  IT  can  also 
use  a  group  security  policy  to  prevent 
certain  executables  from  running,  such 
as  those  needed  to  install  VM  Player. 
Or  you  could  conduct  periodic  audits  of 


Vendors  to  Watch 


After  VMware  and  Xen,  who  are  the  inno¬ 
vating  players  in  the  virtualization  space? 

See  10  VIRTUALIZATION  VENDORS  TO 
WATCH  IN  2008  at  www.cio.com/ 


article/160951. 


cio.com 


user  hard  drives.  “You  want  to  look  for 
machines  with  VMs  and  flag  them  for  fol¬ 
low-up  by  IT,”  he  says. 

Has  this  become  yet  another  bone  of 
contention  between  users  and  IT,  where 
savvy  users  want  to  use  VMs  at  work  the 
same  as  they’re  doing  at  home?  Not  yet, 
Wolf  says.  But  that’s  only  because,  for  the 
most  part,  “IT  departments  have  ignored 
it,”  Wolf  says. 

If  you  do  want  to  allow  VMs  on  user 
machines,  tools  such  as  VMware’s  Lab 
Manager  and  other  management  tools  can 
help  IT  control  and  monitor  those  VMs. 

©  Spend  the  money 

“Make  sure  to  allocate  budget  for  virtual¬ 
ization  security  and  management,”  IDC’s 
Elliott  says.  You  may  not  need  to  break  it 
out  in  your  security  budget,  Arch  Coal’s 
Abbene  notes,  but  you’d  better  have 
enough  money  for  it. 

And  be  careful  of  security  costs  as 
you  calculate  virtualization  ROI.  “You 


may  not  see  a  reduced  spend  in  security” 
just  by  virtualizing  more  and  more  ser¬ 
vers,  Hoff  notes,  because  you’ll  need 
to  apply  some  of  your  existing  security 
tools  to  every  VM  you  create.  If  you 
don’t  anticipate  this,  it  could  eat  into 
your  ROI. 

According  to  Gartner,  that’s  a  com¬ 
mon  mistake  CIOs  make.  Through  2009, 
some  90  percent  of  virtualization  deploy¬ 
ments  will  have  unanticipated  costs,  such 
as  security  costs,  affecting  ROI,  accord¬ 
ing  to  a  presentation  by  Gartner  VP 
Neil  MacDonald. 

The  benefits  of  virtualization  are  easy 
to  see,  easy  to  calculate.  But  unless  you 
understand  virtualization’s  risks,  and 
those  attendant  costs,  those  easy  calcula¬ 
tions  may  be  dead  wrong.  BEl 


Technology  Editor  Laurianne  McLaughlin 
can  be  reached  at  lmclaughlin@cio.com.  To 
comment  on  this  story,  go  to  www.cio.com/ 
author/41220. 


On  January  15,  Cognos  will  unveil  the  building  blocks  for  better  decision  making. 


Join  us  at  our  exclusive  event,  “Performance  Management  for  Your  Real  World,”  as  we  launch  Cognos  8  v3,  the  foundation  for 
the  most  comprehensive  performance  management  system  available  today.  The  agenda  includes: 


•  An  in-depth  overview  and  demo  of  Cognos  8  v3 

•  Rob  Ashe,  CEO,  Cognos:  “How  performance  management  innovation  drives  operational  and  financial  success” 

•  John  Hagerty,  VP,  AMR  Research:  “The  four  stages  of  performance  management  maturity” 

•  Cognos  customers:  Using  Cognos  8  v3  to  make  better  decisions 

When  you  see  Cognos  8  v3  in  action,  you’ll  understand  why  Cognos  is  the  best  choice  for  delivering  proven  business  intelligence 
and  planning  capabilities  to  all  types  of  users  across  your  mid-market  or  enterprise  organization. 


Register  for  the  live  event  in  New  York  City,  other  live  events  around  the  globe,  or  our  virtual  event  at  www.cognos.com/janl5. 


Proceed  with  confidence.™ 


The  Strategic  CIO  FULFILLING  THE  ROLE'S  NEW  MANDATE 

By  the  leaders  of  the  CIO  Executive  Council 


Who’s  Your  Customer? 

Direct  Energy’s  CIO  is  trying  to  change  the  perception  that  IT’s  customer  is 
the  internal  employee  in  order  to  foster  a  focus  on  what  matters  most.  The 
language  he  uses  to  talk  about  customers,  colleagues  and  IT  projects  is  key. 

If  I  were  to  ask  you  if  your  IT  staff  is  sufficiently  customer- 

oriented,  how  would  you  respond?  Would  you  describe  how  your  senior  IT 
leaders  are  responsive  to  their  counterparts  in  the  business?  Show  me  your 
scorecard  with  all  service  levels  met?  Perhaps  you  would  tout  the  results 
of  your  last  internal  customer  survey  with  lots  of  top  scores  from  key  business 
colleagues,  or  boast  that  your  IT  teams  are  embedded  among  the  business 

units.  But  when  I  hear  this  sort  of  thing,  what  I 
think  is.  Here  is  another  IT  department  that  isn’t 
customer-oriented  at  all.  In  fact,  you  are  probably 
out  of  touch  with  your  real  customers— the  people 
who  buy  your  company’s  products  and  services. 

If  we  define  the  customer  as  someone  who  buys 
the  company’s  products  and  services,  then  it  logi¬ 
cally  follows  that  the  customer  is  external  to  the 
company.  Therefore,  customer-oriented  employ¬ 
ees  consider  what  they  do— all  that  they  do— in  the 
context  of  how  this  better  serves  the  real  customer. 

However,  when  I  came  to  Direct  Energy  in  2005, 
it  was  common  for  the  IT  staff  to  refer  to  people 
inside  the  company  as  customers— a  practice  that 
totally  ignored  our  real  customer,  the  consumer  of 
our  energy  services! 

It’s  not  the  staff’s  fault.  This  problematic  perspec¬ 


tive  starts  at  the  top— with  us  CIOs.  According  to 
the  2008  “State  of  the  CIO”  survey,  when  asked  to 
choose  the  three  executive  leadership  competen¬ 
cies  most  critical  to  their  role,  only  10  percent  of 
CIO  respondents  chose  “external  customer  focus.” 
Only  9  percent  chose  “developing  external  customer 
insight”  as  one  of  the  activities  on  which  they  spend 
the  majority  of  their  time.  If  we  aren’t  aware  of  what 
our  customers  are  saying,  then  logically  we  are  out 
of  touch  with  our  customers  no  matter  how  in  tune 
we  are  to  other  employees. 

Customers  Versus  Colleagues 

Customers  and  employees  don’t  always  want  the 
same  thing.  If  we  listen  to  the  customer  rather  than 
to  other  employees,  we  may  understand  that  it  is 
more  important  to  resolve  the  customer’s  problem 


50  JANUARY  15,  2008  |  www.cio.com 


a  laptop  that  knows 


enit's  . 
een  stolen 


just  what  you'd  expect 
from  the  laptop  experts. 


Secure  your  small  business  with  a  little  help  from  Toshiba. 

Getting  your  laptop  stolen  is  not  something  you  walk  around  thinking 
about,  until  it  happens  to  you.  That's  why  theTecra®  A9  comes  with  an 
optional  Computrace®  LoJack®  for  Laptops  security  system1  and  a  Biometric 
Fingerprint  Reader.  So  now  you  can  help  keep  those  impressive  trade  secrets, 
well,  secret.  And  let's  not  forget  about  its  blazing  Intel®  Centrino®  Duo  processor 
and  genuine  Windows  Vista®  Business  operating  system.  See  what  else  we  can 
do  for  your  small  business  at  www.toshiba.com/lojack. 


TOSHIBA 

Leading  Innovation  >» 


.  Computrace  LoJack  for  Laptops  service  is  available  for  optional  purchase  for  $49.99  at  www.toshibadirect.com  or  your  local  reseller.  Tecra  is  a  registered  trademark  of  Toshiba  America  Information  Systems,  Inc.,  and/or  Toshiba  Corporation.  Intel,  the  Intel  logo, 
ientrino,  Intel  Core,  and  Core  Inside  are  trademarks  of  Intel  Corporation  in  the  U.S.  and  other  countries.  Windows  and  Windows  Vista  are  registered  trademarks  of  Microsoft  Corporation  in  the  U.S.  and  other  countries.  Computrace  is  a  registered  trademark  of  Absolute 
•oftware  Corporation.  LoJack  is  a  registered  trademark  of  LoJack  Corporation.  All  other  trademarks  are  the  property  of  their  respective  owners.  Product  specifications,  configurations,  prices,  system/component/options  availability  are  all  subject  to  change  without 
lOtice.  For  more  information,  visit  Toshiba's  Web  site  at  www.pcsupport.toshiba.com.  ©2008  Toshiba  America  Information  Systems,  Inc.  All  rights  reserved. 


■_  >  n.  v.  i  i  1  •  f  i  / 

MRMK/t.  J  •••jj:  '/£//  /_  / 

t  (*r"mfwfWiTv  wry  wWw/  wm  WiW 

'  i  jjk J  \»  ^  .  t/—  \ t  f  \  y_t-  rgrii 


*MHk' 


XWAtet*  jm»w* 


fjWff  ...  • 

RV  ' 

■ffi.  V 

WF**d  *  -“  ••■'"='  «flBr  v®r "  *i'~‘ 

— 

1  -  ’waar^T*'  ' 

TALKING 


BUILDS  WALLS 


More  and  more  CIOs  are  moving  beyond  just  talking  about  bringing 
business  and  IT  together,  to  actually  doing  it.  Which,  ironically,  gives 
them  something  quite  interesting  to  talk  about.  A  13%  net  profit  margin. 
To  see  how  they  did  it,  download  The  Global  CIO  Leadership  Study 
at  ibm. com/do/fusion  STOP  TALKING  START  DOING 


The  Strategic  CIO  FULFILLING  THE  ROLE'S  NEW  MANDATE 


Adopt  a  New  Lexicon 

Substitute  common  IT-speak  with  these  business  terms 

IT-Speak 

Business  Language 

Internal  customer 

Business  partner 

External  customers 

Customers 

IT  governance 

Investment  planning 

IT  and  the  business 

IT  in  business,  business  technology 

CIO’s  business  peers 

CIO  and  other  business  leaders 

Internal  SLAs 

Quality  goals,  excellence  standards 

IT  project  (or  priority) 

Business  project  (or  priority) 

Functionality  enhancement 

Business  process  change 

Resources 

People 

_ L  „  _ _ _  -  -  _  ,  . .  ..V.i.J 

than  it  is  to  conclude  a  phone  call  quickly,  as  the 
call  center  managers  might  wish.  While  the  aver¬ 
age  time  to  handle  a  call  might  be  useful  for  mea¬ 
suring  efficiency  of  a  call  center,  it’s  not  a  great 
metric  for  ensuring  customer  satisfaction. 

Pause  for  a  moment  and  reflect  on  which  met¬ 
rics  you  use  to  measure  your  IT  staff’s  perfor¬ 
mance.  Are  they  focused  inwardly  on  company 
processes  or  outwardly  on  the  customer?  For 
example,  you  could  measure  the  number  of  cus¬ 
tomer  complaints— an  inward,  process-oriented 
metric— or  the  number  of  times  a  customer  is 
inconvenienced— an  outward,  customer-experi¬ 
ence-oriented  metric.  (Hint:  The  latter  number 
will  be  higher  than  the  former.)  If  the  IT  team  is 
acutely  aware  of  customer  issues  such  as  incon¬ 
veniences  in  doing  business  with  you,  then  nothing  less 
than  gaining  and  retaining  customers— that  is,  growing 
the  company— will  be  considered  a  satisfactory  measure 
of  success. 

Are  You  from  IT,  or  “The  Business”? 


customer  requirements  are  those  that  remove  obstacles  to 
customer  satisfaction.  The  customer  specification  is  what 
will  deliver  what  the  customer  has  asked  for.  The  customer 
quote  is  one  that  is  lower  than  your  competitor’s  costs,  or  is 
supported  by  your  gross  margins. 


It’s  commonly  understood  today  that  companies  cannot 
operate  without  reliable  IT.  Yet  people  in  our  profession 
use  terms  like  IT  and  The  Business  as  if  it’s  age-old  wisdom 
that  IT  cannot  be  a  part  of  The  Business.  This  is  inconsistent 
with  the  fact  that  IT  is  necessary  for  businesses  to  function 
effectively.  There  is  no  longer  any  logical  reason  to  keep 


Leadership  on  Video 


See  Kumud  Kalia  and  other  CIOs  dis¬ 
cuss  different  leadership  competen¬ 
cies  in  the  CIO  EXECUTIVE  COUNCIL 
OUTLOOK  video  series  at  www.cio 
.com/video/outlookseries.  Assess 
your  own  performance  levels  in  these 
competencies  at  www.cio.com/cec/ 
strategic_cio/. 

cio.com 

j 

who  work  in  some  mysterious  entity  called  The  Business. 

An  IT  department— or  any  other  department  for  that 
matter— that  really  thinks  other  employees  are  its  custom¬ 
ers  or  that  it’s  separate  from  The  Business  is  moving  toward 
being  outsourced.  Any  internal  department  that  is  not  add¬ 
ing  value  to  the  real  customer  may  as  well  not  be  there. 

People  who  are  trained  to  serve  internal  employees 
think  like  outsourcers,  looking  for  system  requirements 
and  specifications  and  providing  quotes  for  systems  work. 
If  people  can  organize  across  functions  to  focus  on  the  real 
customer— the  one  paying  the  bills— then  they  will  look 
for  customer  requirements,  specifications  and  quotes.  The 


the  IT  function  sepa¬ 
rated  within  the  enter¬ 
prise  either  physically 
or  mentally.  There  is  no 
reason  to  talk  about  The 
Business  as  if  it’s  dis¬ 
tinct.  I  find  this  insidious 
practice  rife  in  other  dis¬ 
ciplines— finance,  HR, 
marketing,  legal— all 
referring  to  customers 


Finding  Our  Focus 

How  are  we  at  Direct  Energy  working  to  escape  this  trap? 
We’ve  started  with  changing  what  we  say  and  how  we  think. 
Somewhat  perversely,  by  reducing  the  use  of  the  word 
customer,  we  increase  our  customer  orientation.  I  banned 
the  word  customer  when  it’s  applied  to  other  employees.  The 
term  business  partner  would  substitute  for  any  company 
colleague  who  uses  technology  applications. 

The  purpose  of  changing  the  terminology  we  use  is  to 
change  our  mentality  and  therefore  our  focus.  I  don’t  believe 
for  a  moment  that  customer  focus  will  arrive  overnight  once 
people  change  their  vocabulary,  but  it’s  a  good  first  step. 

Don’t  talk  about  The  Business  either.  Be  the  business.  Find 
out  what  the  drivers  of  customer  satisfaction  are  for  your  com¬ 
pany  and  review  them  with  your  team;  stay  up  to  date  with 
sales  activity,  listen  to  customer  calls,  track  online  customer 
activity,  know  your  competitors.  Challenge  what  you’re  asked 
to  do  if  you  don’t  understand  how  the  customer  benefits  from 
it.  After  all,  it’s  the  customer  who  pays  your  salary. 

I’m  interested  to  know  what  you  think  about  the  termi¬ 
nology  we  use  and  how  we  may  be  hurting  our  own  cause 
to  deliver  customer  value  as  an  integral  part  of  the  business. 
In  what  ways  have  you  instilled  a  focus  on  the  true  customer 
for  your  IT  group?  013 


Kumud  Kalia  is  CIO  and  EVP  for  customer  oper¬ 
ations  at  Direct  Energy  and  is  a  CIO  Executive 
Council  member.  He  may  be  reached  at  kumud 
.kalia@directenergy.com. 


54  JANUARY  15,  2008  |  www.cio.com 


' - - - — — ^ 

"Perficient  needed  scalable  business  processes  to  manage 

more  than  1 ,000  team  members,  offices  in  1 6  major  markets 
and  hundreds  of  client  engagements.  And  counting." 

-  Jeff  Davis,  Perficient  President  and  COO 


When  Perficient  grew  by  300%  in  just  3 
years,  they  turned  to  the  leader  in  resource, 
project,  and  portfolio  management. 

To  convert  growth  into  profit,  Perficient  needed  an 
end-to-end  solution  that  would  accommodate  an 
aggressive  growth  strategy  while  enhancing  project 
delivery,  client  satisfaction  and  profitability.  Using 
Primavera,  Perficient  has  optimized  project  ROI  and 
resource  utilization,  streamlined  reporting  and 
compliance  tracking,  and  forecasts  revenues  all  in  a 
single,  scalable  solution. 

Find  out  how  Primavera  helps  Perficient  and  discover 
how  Primavera  might  change  your  organization.  Visit 
www.primavera.com/perficient  today! 

Ck  PRIMAVERA 

- '  Business  solutions  for  a  project-driven  world  ™ 


SION/ 


I  TECH/TELECOM  •  PUBLK 


EROSPAC 


primavera.com 


The  Strategic  CIO  JJzULFILLING  THE  ROLE's  new  mandate 


What  Does  It  Mean  to  Focus 
on  the  External  Customer? 

High  performers  think  strategically  about  what  customers  need  in  the  future 

BY  REYNOLD  LEWKE  AND  STEVE  KELNER 


The  C-level  competency  of  external  customer  focus 
is  the  ability  to  think  about  serving  the  customer 
and  building  value-added  relationships  with  an 
external  customer  or  client.  It  isn’t  selling. 

At  low  levels  of  performance,  one  is  willing  to  help  cus¬ 
tomers  by  providing  them  with  what  you  know  you  have. 
At  moderate  levels,  the  perspective  moves  from  “What  does 
the  customer  need  today?”  to  “What  will  the  customer  need 
next?”  At  higher  levels,  one  becomes  proactive  in  shaping  the 
customer  value  proposition  well  beyond  the  transactional 
relationship.  High  performers  build  complex  relationships 
with  customers  and,  based  on  their  deep  knowledge  of  the 
customer  and  marketplace  in  which  they  compete,  they  pro¬ 
vide  services  that  customers  do  not  yet  know  they  need.  High 
performers’  insights  about  customers  become  a  source  of 
competitive  advantage  for  both  their  own  company  and  their 
customers’  business. 

Gathering  information  about  the  external  customer  and 
listening  to  feedback  represents  a  low  level  of  performance. 
At  a  moderate  level,  you  know  the  customer  from  the  inside, 
which  means  you  can  predict  how  he  might  respond  to  a 
given  offering  and  you  can  anticipate  future  needs  that  one 
may  address.  At  the  top  level  is  a  trusted  adviser  who  is  inter¬ 
twined  with  the  customer’s  decision-making  processes. 

Are  You  Ready  to  Focus  on  Customers? 

Once  you  understand  the  requirements  of  an  external  customer 
focus,  it’s  important  to  consider  your  organization’s  predispo¬ 
sition  toward  customer  focus,  as  well  as  your  own  capability 
to  contribute  to  it.  Some  questions  to  consider  include: 

About  the  Organization 

□  Does  the  organization  allow  or  encourage  external  cus¬ 
tomer  contact  with  the  IT  organization  or  similar  func¬ 
tions  such  as  finance  or  operations? 

□  Is  the  IT  organization  linked  in  to  the  external  market? 

To  what  extent  is  IT  market-driven  versus  technology- 
driven? 

□  How  complex  is  the  business?  Does  it  include  a  wide  vari¬ 
ety  of  products,  customers  and  business  models?  Does  it 
seek  customer  input  for  new  products  and  services? 


About  Yourself 

□  Do  you  enjoy  reaching  out  and  connecting  with  people, 
especially  current  or  potential  customers? 

□  Do  you  understand  the  drivers  of  the  business  and  all 
the  different  aspects  of  the  market  that  apply  to  it, 
including  competitors,  history  and  business  priorities? 

□  Can  you  see  a  situation  from  others’  perspective,  no 
matter  how  you  may  disagree  with  it? 

□  Can  you  anticipate  a  customer’s  emotional  reaction— 
not  just  a  logical  one— based  on  your  understanding  of 
that  person  and  his  business? 


>'.yA  jrt  '  A.  -■  AAL.  T  q,  '*-0  q-e&y  <  y  -  '<i  T':cyVvA 

How  Execs  Rate  on  External  Customer  Focus 


CEOs  are  focused  on  using  customer  information  to  add 
value.  CIOs  and  CFOs  focus  mainly  on  current  offerings. 


Executive  behavior  legend 


7  =  Leverages  customer  relationships 
to  create  enduring  mutual  benefits 
6  =  Builds  strong  and  sustainable 
customer  relationships 
5  =  Continually  acts  to  add  value 
to  the  customer 

4  =  Knows  customer's  perspective:  antici¬ 
pates  customer’s  requirements 
3  =  Deliversagainstthe  customer's 
needs  relative  to  existing  products 
2  =  Has  basic  understanding  of  the 
customer's  needs 
1  =  Responds  to  the  customer 

These  benchmarks  rate  executive  performance  on  a  scale  of  1  to  7.  Plotted 
scores  are  the  average  of  all  scores  from  the  50th  to  85th  percentile  range 
among  executives  rated.  The  data  derives  from  more  than  25,000  executive 
assessments  conducted  by  Egon  Zehnder  International. 

Based  on  the  answers  to  these  questions,  you  can  then  decide 
how  to  develop  your  skills  in  this  area.  Developing  the  compe¬ 
tency  of  external  customer  focus  often  requires  a  significant 
shift  in  your  thinking  and  the  organization’s  thinking.  That’s 
because  traditionally,  IT  staff  has  been  stuck  in  the  data  center 
and  not  allowed  to  spend  much  time  with  customers.  QE] 


Reynold  Lewke  ( reynold.lewke@ezi.net )  is  Egon  Zehnder’s  North 
American  CIO  practice  leader.  Steve  Kelner  ( steve.kelner@ezi.net ) 
is  global  knowledge  leader  of  Egon  Zehnder’s  Talent  Management 
and  Management  Appraisal  Practice  Group. 


56  JANUARY  15,  2008  |  www.cio.com 


WHEN  INFORMATION  AVAILABILITY  MATTERS 


SunGard.  Setting  new  standards  for 
Information  Availability  by  delivering 
a  range  of  solutions  that  meet  your 
specific  availability  objectives.  Flexible 
enterprise  wide  solutions  from  IT 
management  to  AdvancedRecoverySM. 
2,500  experts.  Three  decades  of 
experience.  100%  successful 
recovery  track  record. 

To  see  how  SunGard  can  help 
improve  your  IT  availability  stop 
by  www.availability.sungard.com 
or  call  800-871-5857  today. 


SUNGARD9 

Availability  Services  Connected 


680  East  Swedesford  Road,  Wayne  PA  19087 
800-468-7483  |  www.availability.sungard.com 


TO  SEE  THE  TOP  SEVEN  ROADBLOCKS  COMPANIES  FACE  IN  ACHIEVING  INFORMATION  AVAILABILITY 
AND  FIND  OUT  HOW  TO  AVOID  THEM  VISIT  WWW.AVAILABILITY.SUNgArD.COM/IA. 


Will 

SALES  AND  SERVICES 


CIO  SALES  OFFICES 
President  and  CEO 

Michael  Friedenberg 
508  935-4310 

Publisher 

Bob  Melk  •  415  975-2685 

Publisher  Emeritus 

Gary  J.  Beach 
508  935-4202 

EAST  COAST 

Regional  Sales  Manager 

Ellie  St.  Louis 
201 634-2332 
Account  Executive 
Anna  Mkrtchyan 
201 634-2331 
Senior  Sales  Associate 
Norma  Tamburrino 
201 634-2329 
Fax  •  201 634-9513 

NEW  ENGLAND/CENTRAL 

Regional  Sales  Manager 
Brett  Ferry  •  508  935-4684 

SOUTHERN  CALIFORNIA 

Regional  Sales  Manager 

Kevin  Ebmeyer  •  415  975-2684 

WEST  COAST 

Regional  Sales  Managers 

Kevin  Ebmeyer 
415  975-2684 
Michelle  Stutsman 
415  975-2686 


Regional  Account  Executive 

Lawrence  Fu 
415  975-2683 

CUSTOM  SOLUTIONS 
GROUP 

Vice  President 

Matt  Avery 
508  935-4796 
National  Director,  Sales 
Adam  Dennison 
508  935-4087 
Editorial  Director 
Jim  Malone 
Senior  Editor 
Debra  Bulkeley 
Associate  Editor 
Anne  Taylor 

Senior  Project  Operations 
Manager 

Amy  Greenleaf 
Project  Managers 
Karen  Capland, 

Amy  Freeman 

ONLINE  SALES 

Vice  President,  Online  Sales 

Brian  Glynn  •  508  935-4586 

Online  Regional 
Sales  Manager 
Richard  Hartman 
508  935-4487 


Online  Regional  Sales 
Manager,  West  Coast 
Erika  Karr 
415  978-3329 
Online  Regional  Sales 
Manager,  Central 
Sarah  Gaskin 
415  975-2681 
Manager,  Online  Account 
Services 

DanielieTetreault 
508  988-7969 

Online  Account  Services 
Specialist 

Valerie  Sumner 
508  988-7877 

Online  Advertising  Specialist 

Irina  Gabechiia 
508  935-4414 

Online  Sales  Associate 

Erin  Sullivan 
415  975-2687 

LIST  SERVICES 

Contact  Paul  Capone  of  IDG 
List  Services  at  508  370-0865 
or  pcapone@idglist.com. 

For  further  sales  information: 

www3.clo.com/marketing/ 

contact/sales_contact.html 


CIO  is  published  in  the 
U.S.  as  well  as  in: 

Australia,  CIO  Australia 

www.idg.com.au 

Canada,  CIO  Canada 

cio.itworldcanada.com 

China,  CEO  &  CIO  China 

www.ceocio.com.cn 

France,  CIO  France 

www.idg.fr/cio 

Germany,  CIO  Germany 

www.cio.de 

India,  CIO  India 

www.cio.in 

Japan,  CIO  Japan 

www.idg.co.jp 

The  Netherlands, 

CIO  Netherlands 
www.cio.nl 
New  Zealand, 

CIO  New  Zealand 
www.cio.co.nz 
Poland,  CXO  Poland 
www.cxo.pl 

Singapore,  CIO  ACEN/ 
Hong-Kong  www.idg.com.sg 
South  Korea,  CIO  Korea 
www.ciokorea.com 
Sweden,  CIO  Sweden 
www.cio.idg.se 


INDEX  OF  COMPANIES  AND  ADVERTISERS 


Page  numbers  refer  to  the  first  page  of  the  article(s)  in  which  the  company  has  a  substantial  mention. 

This  index  is  provided  as  a  service  to  readers.  The  publisher  does  not.  assume  any  liability  for  errors  or  omissions. 


COMPANY  INDEX 

Accenture . .30 

Arch  Coal  Inc. . 41 

Bell  Canada  . 17 

Burton  Group . 41 

Current  Analysis  Inc . 30 

Deloitte  Development  LLC  . 22 

Direct  Energy  Marketing  Limited . 50 

EMCCorp . 30 

Forrester  Research  Inc . 17, 30 

Gartner  Inc . 11, 41 

Greenpeace  . 11 

Hewlett-Packard  Co . 8 

Hunton  &  Williams  LLP . .  .  11 

IBM . 11,30 

I  DC . 11,41 

Informatica  Corp . 30 

In-Stat  .  11 

Kalido . 30 

Microsoft  Corp . 30 

National  Aquarium  in  Baltimore . 22 

National  Retail  Federation . 22 

Nationwide  Mutual  Insurance  Company . 6,  30 

Nautilis  Advisors  LLC . 11 

Nokia . 11 

Oracle  Corp . 30 

PCI  Security  Standards  Council  LLC . 22 

Samsung  . 11 

Sony  Corp.  of  America  . 11 

Sony  Ericsson  Mobile  Communications  AB  . 11 

Teradata  Corp . 30 


TJX  Companies  inc . .22 

Unisys  . . 41 

VMware  Inc . . . 11,  41 

Yankee  Group  Research  Inc . 17 

ADVERTISER  INDEX 

3PAR  . .40 

AT&T  Wireless . . . 15 

Brocade . 7 

CA  . . . . . .  C4,  36a 

Capgemini  . 21 

CDWCorp . 16 

Cognos  Inc . 48 

CXO  Media  Inc.  . . .37,59 

Dell  Inc . .C3 

Hewlett-Packard  Co.  . 5, 32a,  43 

IBM  Corp.  . . .52 

InterSystems  Corp . 9 

ISC . . . 35 

Microsoft  Corp . .  .  C2, 19, 45 

Microsoft  and  Novell . 13 

NEC  Corp . . . 2 

Oracle  Corp . 28 

Pakistan  Software  Export  Board . 47 

Palm  Inc . 38 

Primavera  Systems  Inc . 55 

SAS  . 10 

Sun  Microsystems  Inc . 27 

SunGard  Availability  Services  Inc . 57 

Toshiba  America  Business  Solutions  Inc . 25 

Toshiba  America  Information  Systems  Inc . 51 


CIO  CONTACT 
INFORMATION 

Editorial,  Advertising  and 
Business  Offices:  CXO  Media 
Inc.,  492  Old  Connecticut  Path, 
P.O.  Box  9208,  Framingham,  MA 
01701-9208,  508  872-0080. 

CIO  (ISSN  0894-9301)  is  pub¬ 
lished  semimonthly  and  as  a 
combined  issue  Dec.  15/Jan.  1  by 
CXO  Media  Inc.  Periodicals  post¬ 
age  paid  at  Framingham,  MA,  and 
at  additional  mailing  offices.  Can¬ 
ada  Publications  Mail  Agreement 
Number  1902075.  CANADIAN 
POSTMASTER:  Please  return 
undeliverable  copy  to  P.O.  Box 
1632,  Windsor,  ON  N9A7C9. 

Reprints  &  Permissions: 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS  Group, 
800-290-5460,  ext.  150, 
cio@theygsgroup.com. 

Photocopy  Rights:  Permission 
to  photocopy  for  interna!  or 
personal  use  or  the  internal  or 
personal  use  of  specific  clients  is 
granted  by  CIO  for  users  through 
the  Copyright  Clearance  Center, 
provided  that  a  fee  of  $3.50  per 
copy  of  the  article  is  paid  directly 
to  Copyright  Clearance  Center, 
222  Rosewood  Drive,  Danvers, 

MA  01970.  www.copyright.com. 
Please  specify:  ISSN  0894-9301. 
Permission  to  photocopy  does 
not  extend  to  contributed  articles 
followed  by  this  symbol:  %. 

Subscriptions:  CIO  is  free  to  qual¬ 
ified  information  executives.  To 
apply,  use  our  online  subscription 
form  atsubscribe.cio.com.  Sub¬ 
scriptions  are  also  available  on  a 
paid  basis  at  a  rate  of  $95  for  the 
United  States  and  Canada,  $195 
International  (payable  in  U.S. 
funds  only)  and  may  be  ordered 
online  at  subscribe.cio.com/ 
services.html.  Or  address 
inquiries  to  CIO,  P.O.  Box  489, 
Northbrook,  IL  60065-0489;  866 
354-1125.  Please  allow  fourto 
six  weeks  for  a  new  subscription 
to  begin.  The  single  copy  price 
is  $9  forthe  United  States  and 
Canada,  and  $15  International. 
Prepayment  is  required,  payable 
in  U.S.  funds. 

Change  of  Address:  Please  go  to 
www.omeda.com/custsrv/cio 
and  follow  the  online  instructions. 

Postmaster:  Send  change  of 
address  to  CIO,  P.O.  Box  489, 
Northbrook,  IL  60065-9816. 
Printed  in  the  U.S. A. 


58  JANUARY  15,  2008  |  www.cio.com 


IT  Makes  Winners. 


You  can’t  beat  the  competition  by  standing  still. 
And  you  can't  move  ahead  without  the  edge 
technology  provides. 

We  want  to  know  how  IT  makes  your 
company  grow. 

We’re  celebrating  all  the  innovative  ways  that  IT  can  deliver  a 
competitive  advantage  to  the  enterprise.  Perhaps  you  took  a  risk 
on  an  emerging  technology  or  deployed  the  tried  and  true  in  a 
new  way.  Maybe  you  built  a  better  business  process  or  fostered 
closer  collaboration.  Or  you  found  ways  to  get  closer  to  existing 
customers,  to  pursue  new  markets,  to  save  money,  to  make  more. 

If  you  can  show  measurable  results  of  technology  i  nnovations  that 
have  enabled  or  led  the  way  to  greater  success  for  your  organization, 
then  our  readers— your  peers— want  to  know  about  you. 

Be  recognized  as  one  of  the  CIO  100. 

Apply  now  for  the  21st  Annual  CIO  100  Awards. 


.  ~  v:  .  .  ' 

CIO  100  honorees  will  be 
recognized  at  the  annual 
CIO  100  Symposium  &  Awards 
Ceremony,  Aug.  24-26, 2008, 
at  The  Broadmoor  in  Colorado 
Springs,  Colo.  Honorees— 
and  their  winning  ideas— will 
also  be  featured  online  and  in 
the  Aug.  15, 2008,  issue  of  CIO. 

To  learn  more  about  the  CIO  100 
Awards  and  get  an  application, 

go  to  www.cio.com/cio-awards/ 
ciolOO/index 


Presented  by 


11  '  ‘  I've  Learned 


THE  VOICE  OF  EXPERIENCE  *  AS  TOLD  TO 


Tom  Ridge,  former 
U.S,  secretary  of 
homeland  security, 
now  heads  Ridge 
Global,  an  advisory 
firm.  He  believes 
another  terrorist 
attack  is  likely. 


Complacency  is 
what  keeps  me 
awake  at  night. 

It’s  predictable  in  human 
terms,  but  unacceptable 
as  well.  We  don't  seem  to 
have  that  same  sense  of 
urgency  that  we  did  in  the 
first  years  after  9/11.  The 
professionals  have  it:  the 
police,  firefighters,  emer¬ 
gency  service  personnel 
and  the  military.  But  in 
the  corporate  world— and 
even  to  a  certain  extent, 
the  political  world— there 
isn’t  that  urgency. 

We  can't  secure  the 
country  from  inside 
Washington,  D.C. 

We  should  look  to 
the  private  sector 
for  best  practices 
to  respond  to 
disaster.  That 
will  take  a  major 
upheaval,  but  I 
strongly  believe  in 
it.  We’ve  got  the  tal¬ 
ent  and  interest  and 
commitment  in  the 
private  sector.  There 
are  so  many  things  the 
private  sector  could  help 
us  do  more  effectively.  At 
the  end  of  the  day,  col¬ 
laboration  is  critically 
important.  The  fed¬ 
eral  government 
needs  to  work 
with  the  private 
sector. 


You  can't  prepare 
for  everything. 

So  be  prepared  for  the 
unpredictable.  There  is 
an  element  of  surprise 
associated  with  every 
crisis  you  face.  I  served 
in  Vietnam;  most  in  the 
military  will  tell  you  that 
you  reduce  losses  and 
enhance  success  by  hav¬ 
ing  the  right  equipment, 
training  and  people.  And 
it  applies  to  the  corpo¬ 
rate  world,  too.  Have  you 
empowered  your  CIO  or 
CSO  to  look  critically  at 
your  entire  infrastruc¬ 
ture  and  make  specific 
requests?  Do  you  have  a 
business  continuity  plan, 
and  do  you  exercise  it? 
Have  you  tried  it  out? 
There  are  basic  lessons  in 
planning  and  trainingthat 
are  helpful  because  some¬ 
times  you  don’t  have  time 
think;  you  fiist  have 
time  to  reafi.  But  if  you’ve 
trained  and  planned  a 
certain  way,  cha|ce|fere 
good  you  will  react  the 
right  way. 

I  have  empathy  for 
CIOs  and  CSOs. 

When  they  want  to 
beef  up  IT  systems  and 
embef|preparedness  and 
recovery  plans  into  their 
networks,  they  have  to  go 
to  the  CFO  and  CEO  and 
say,  “I  need  X  number  of 


KATHERINE  WALSH 


dollars  to  do  this."  And  the 
first  response  they  get  is, 
“What’s  the  risk?  That’s 
a  big  expense.  Where’s 
the  ROI?”  But  I  think  in  a 
more  globally  competitive 
and  interdependent  mar¬ 
ketplace— a  post-9/11, 
Sarbanes-Oxley  world— 
there  are  far  greater 
vulnerabilities  to  a  com¬ 
mercial  enterprise  today 
than  ever  before.  It’s  not 
just  about  profitability. 

It’s  about  the  intangible 
asset— your  brand— that’s 
at  risk.  I  would  hope 
CFOs  and  CEOs  and 
boards  of  directors  pay 
more  attention  to  the  risk 
assessment  rendered  by 
security  or  information 
officers  when  parceling 
out  annual  budgets.  You 
have  to  manage  the  risks, 
and  there  are  certain  ones 
that  need  to  be  managed, 
regardless  of  ROI. 

Do  I  think  about 
a  terrorist  attack 
every  day? 

I  don’t  because  I’m  pre¬ 
pared.  But  I  think  about 
terrorism  in  general.  We 
need  to  accept  the  reality 
that  this  is  the  new  norm.  I 
believe  an  attack  will  hap¬ 
pen  again,  but  I’m  as  pre¬ 
pared  for  it  as  I  can  be. 


To  comment,  go  to  www.cio 
.com/article/149601. 


60  JANUARY  15,  2008  |  www.cio.com 


PHOTO  BY  DAVID  F I ELDS/CORBI S 


I  According  to  Forrester  Research,  more  than  half  the  enterprise 
companies  in  North  America  and  Europe  rely  on  Dell 
I  for  notebook  and  desktop  computers. 

-How  Enterprise  Buyers  Rate  Their  PC  Suppliers  And  What  it 
Means  For  Future  Purchases,  Forrester,  November  2007. 


GET  YOUR  FREE  COPY  OF  FORRESTER’S  REPORT  AT 

DELL.COM/Numberone 


Actual  Forrester  quote:  “Dell  Is  clearly  the  No.  1  enterprise  desktop  and  laptop  supplier.”  Survey  question:  “From  which  vendor 
did  you  purchase  desktops  in  the  last  12  months?”  Base:  565  PC  decision-makers  at  North  American  and  European  Enterprises. 


It  all  begins  with  a  single  view  of  your  entire  IT  portfolio  — a  scenic  overlook  of  your  assets,  resources,  projects  and 
services.  From  there,  you  can  plan  better,  manage  better.  You  can  make  informed  decisions,  smart  trade-offs  and 
wise  investments.  In  short,  you  can  budget,  forecast  and  track  with  insight,  accuracy  and  verve.  Yes,  verve.  And 
that's  everything  you  need  to  translate  IT  value  into  terms  that  bring  nods  of  enlightenment  from  your  business 
partners.  To  learn  more,  download  the  white  paper  "Generating  Premium  Returns  on  IT  Investments"  at  ca.com/itg. 


GOVERN  »  MANAGE  •  SECURE 


Transforming 
IT  Management 


